Managing SOAR Platform roles
A role is a specific set of permissions, which you can assign to users and groups. You use the Roles tab to define and manage roles.
You can assign multiple roles to a user, which gives the user a superset of all the permissions in the roles.
The SOAR Platform provides predefined roles, which you can use, modify or remove. See SOAR predefined roles for details.
Global and workspace roles
You can configure two separate types of roles in the SOAR Platform.
- Global roles
- A set of permissions that apply across the organization.
- Workspace roles
- A set of permissions for specific workspaces only. For more information about workspaces, see SOAR platform workspaces.
SOAR permissions and categories
Some features depend on other features; therefore, those permissions are combined. For example, setting the Ability to view and modify permission enables full permissions for the various administration and customization features that are listed after that permission.
- Administration and Customization Permissions
- These permissions apply only to global roles. Users who do not have any of these permissions do not see the Administrator Settings or Customization Settings menu items. Except for the following, these permissions represent tabs accessible from the Administrator Settings or Customization Settings menu items.
- Incident Permissions
-
These permissions apply to both global and workspace roles. They determine how users interact with the various incident functions in all incidents. You can grant these permissions to a role where the user needs to access or manage those incidents where the user is not necessarily the incident owner or a member. By default, users not assigned a role can be assigned incidents, and manage those incidents when a member or owner of the incident.
- Artifacts Permissions
- These permissions apply only to global roles. The View the global list of Artifacts permission determines whether users can view the list of artifacts, which is a list of all artifacts across all incidents in the organization. The Manage Artifacts permission controls if users with this permission can create and edit any artifacts in the organization.
- Simulation Permissions
- This permission applies only to global roles. It determines whether users can create simulations. It can work with or independently from the incident permissions. Users with this permission can create simulations in the default workspace. Users can also select a different workspace if they have Create Incidents permissions for that workspace and if the workspace field is added to the new incident layout. Users without this permission do not see the Create > Simulation menu. If a role has Create Simulations but not Create Incident permissions, if they click Create from the menu, they see the Create Simulation screen. If the user has Create Incident and Create Simulations permission, they can choose whether to create a new incident or simulation by clicking Create on the main menu. Only users with the Delete Incidents permission can delete simulations.
- Task Permissions
- These permissions apply to both global and workspace roles. They provide users with the ability to edit task names, phases, and instructions.
- Inbox Permissions
-
These permissions apply only to global roles. They determine whether users can access the Mail Inbox and emails in the inbox. Grant these permissions to a role where users need to view and triage emails from inbound email connections. Users without these permissions do not see the Inbox or the emails in the Inbox. Check the Access Inbox permission to grant permissions to a role to enable user to view the contents of the email inbox. Check the Download emails and Delete emails options to grant permissions to roles to download email content and delete emails from the Mail Inbox.Note: The ability to download emails directly from the Email tab on an incident is controlled by the incident permission, Download Emails.
SOAR predefined roles
Some roles, such as administrator and master administrator, are predefined, but you can edit or remove them.
You can customize the predefined roles to fit your needs. To view the permissions of any particular role, click the name of the role in the Roles tab. Each checked permission is enabled for the role. See SOAR permissions and categories for a description of the permissions.
- Make sure you have a designated superuser role, which can manage user accounts.
- If your SOAR Platform is integrated with a security program, such as BigFix or QRadar, which requires a master administrator account, make sure to create a role to be used by these programs. Some apps require the Create and View Incident permissions, while others might also require the Ability to view and modify (needed to create rules).
Creating new roles
You can create both global and workspace roles from the Roles tab.
About this task
To create a new role.
Procedure
Results
After you created a role, you can assign it to users and groups in the respective Users and Groups tabs.
Example
- From the menu on the left, select Global Roles.
- Click Create Role and enter the following details:
- Role Name. Enter a name for the role, such as
Email administrator
. - API Name. The API Name is generated automatically.
- Description. Enter a brief definition of the role and its permissions. For example, you can add a description that this role is intended for users who require permissions to create an incident from an email or add emails to existing incidents.
- Role Name. Enter a name for the role, such as
- Grant Ability to view and modify permissions so that the user can access the Customization Settings to create scripts.
- Script writers use the
emailmessage.associateWithIncident() )
email object function, which enables them to create scripts to associate email with existing incidents. Grant the following permissions:- Inbox Permissions. Access Inbox permissions are needed to access the emails in the Mail Inbox, from where they can be used by the SOAR Platform.
- Incident Permissions. View Incidents permissions
are needed for
_helper.findIncidents()_
and Edit Incident permissions are needed to associate the email message with existing incident)
- To generate new incidents from incoming email, script writers use the
createAssociatedIncident
email object function. Grant the following permissions.- Inbox Permissions. Access Inbox permissions are needed to access the emails in the Mail Inbox, from where they can be used by the SOAR Platform.
- Incident Permissions. Create and Edit Incident permissions are needed.
- Save the role and then grant this role to users who need it.
Deleting user roles
You can delete a role unless it is assigned to a user or user invitation. You can view which roles are assigned to users in the Users tab.