Intelligence Center permissions

Permissions are granular controls on user access to features and data. They’re predefined, and assigned to users through roles.

Permissions are usually named with the convention <verb> <object>, where:

• <verb> describes the action allowed, and

• <object> describes the object being acted on.

Control access through groups, roles, and permissions

What a user is allowed to access is determined by a combination of:

• Groups

  Groups are used to organize users and defines the resources that its members are allowed to access.

• Roles

  Roles are sets of permissions that determine the tasks a user assigned that role can perform.

The following flow chart is an example of how to decide what to assign to your user to give a certain level of access:

Groups

Groups allow you to name the resources it’s members are allowed to access.

You can set for a group:

• Allowed sources

• Allowed roles

Allowed sources

Allowed sources are sources that members of the group can access data from.

An allowed source has two properties:

• the source

• a TLP color

Sources can be:

• Groups. By default, a group has itself as an allowed source. You can add other groups as allowed sources to give group members access to intelligence created by members of that group.

• Incoming feeds. Entities and observables that are ingested through an incoming feed have their source automatically set to the name of the incoming feed.

• Enrichers. When an observable or entity is enriched, the resulting entities and observables have their source set to the name of the enricher used.

TLP colors set for a source determines the most restrictive TLP (inclusive) that that members of this group can access. By default, this is set to RED for a source. This means that group members can access objects with TLP colors WHITE, GREEN, AMBER, and RED.

Tip

Setting an allowed source’s to a less restrictive TLP color would prevent group members from accessinng objects with more restrictive TLP colors. For example, setting the TLP color for an allowed source to GREEN would mean that objects with TLP colors AMBER and RED cannot be accessed by group members.

Allowed roles

Groups must specify a set of roles that group members can be assigned to.

Setting allowed roles for a group does not actually assign the role to group members. You must first add roles to the allowed roles of a group, then explicitly assign those roles to the user.

Roles

Roles are sets of permissions that grant read or modify access to a given resource.

Tip

modify permissions grant both read and modify permissions for a resource.

A role can contain any number of permissions. Users inherit their permissions from the roles that they are assigned.

Table of permissions

To see a full list of permissions, go to Settings > User management > Permissions in the UI while signed in as a user with at least read permissions.

Tip

All -modify permissions already include -read level permissions.

For example, modify users permissions include read users permissions, so you can assign a user modify users without read users.

Note

Permission dependencies

• Some permissions depend on other permissions.

  For example, a user must first have read-tickets permissions in order to be able to read task comments with read ticket-comments permisisons.

Permission	Description
install knowledge-packs	Install knowledge packs. Note To install knowledge packs in the UI, also requires read knowledge-packs permissions.
lock/unlock users	Unlock or deactivate user accounts. Note Also requires modify users.
modify blob-uploads	Manually upload files in the UI through + > Upload. Note Different from files permissions.
modify collaborators	Add and remove users in workspaces. Note Also requires read workspaces.
modify configurations	Modify the following settings in EclecticIQ Intelligence Center UI: Settings > System settings Settings > STIX and TAXII > STIX
modify csv-mappings	Allows user to read, create, and modify records in Data configuration > Data mappings. This allows you to: Select existing data mappings when importing CSV files Create data mapping and then select them when importing CSV files
modify knowledge-packs	View, create, and modify knowledge packs.
modify discovery-rules	View, create, modify, enable/disable, and run discovery rules. Note Requires additional permissions to access these fields: Search query: For autocomplete to work in the UI, requires read entities. Correlated workspaces: read workspaces
modify draft-entities	View, create, and modify draft entities
modify enrichers	Edit, enable, and disable enrichers
modify enrichment-rules	View, create, modify, enable/disable, and run enrichment rules. Note Requires additional permissions to access these fields: Source: read sources Enrichers: read enrichers
modify entities	View, create, and modify entities. Note Requires additional permissions to see all fields and options. The following is a non-exhaustive list of min. permissions: read extracts to see related observables read attack to see MITRE ATT&CK classifications read sources to see sources
modify extracts	View, create, and modify observables
modify files	Users can: attach and remove files to a workspace pin and unpin attached files to the front page of a workspace. Note To perform these tasks on files attached to a workspace, users must: be an owner or collaborator on a workspace have at least these permissions: read workspaces read graphs
modify graphs	View, create, and modify graphs Note To save a graph, users must: have at least read workspaces be at least a collaborator on a workspace
modify groups	View, create, and modify user groups. Note To be able to see and modify groups on the UI, users must either: be Group Admin for at least one group or have at least read configurations To manage additional group properties, users require at least: read users to manage a group’s user list read sources to manage a group’s Allowed sources modify roles to manage a group’s Allowed roles
modify incoming-feeds	View, create, modify, and run incoming feeds. Note To create a new incoming feed in the UI, users must also have at least: read transports read content-types
modify intel-sets	View, create, and modify datasets. Note To view dataset, users also require at least: read entities To create datasets, users also require at least: read entities read workspaces
modify outgoing-feeds	View, create, modify, and run outgoing feeds Note To create a new outgoing feed, users must also have at least: read transports read content-types read intel-sets For feeds that create packages (e.g. feeds that use the HTTP download transport type), users must also have at least read content-blocks to see available package endpoints.
modify retention-policies	View, create, modify, and run data retention policies. Note To create policies, users must also have at least: read entities read extracts read sources read taxonomies
modify roles	View, create, and modify roles. Note To create and modify roles, users must also have at least: read permissions To be able to see and modify roles on the UI, users must either: be Group Admin for at least one group or have at least read configurations
modify rules	View, create, modify, enable/disable, and run: entity rules observable rules Note To create and modify rules, users may need corresponding permissions to configure these rule properties: Criteria > Source: read sources Criteria > Observable types: read extracts Criteria > Link name filter: read extracts Actions > Add tags: read taxonomies Actions > Add to dataset: read intel-sets Actions > Merge similar: read entities and membership to group(s) with corresponding Allowed sources.
modify tasks	View and terminate system jobs. Note To interact with system jobs in the UI through Settings > System jobs, users must have at least read configurations.
modify taxii-services	View, create, and modify TAXII services. Note To interact with TAXII service configuration in the UI through Settings > STIX and TAXII > TAXII, users must also have at least read configurations.
modify taxonomies	View, create, and modify taxonomies.
modify ticket-comments	View, create, and modify comments on Tasks (“tickets”). Note To be able to add comments on Tasks in the UI, users must also: have at least read tickets be a stakeholder or an assignee on that ticket
modify tickets	View, create, and modify Tasks (“tickets”). Note To be able to see a task in the UI, users must either: be a stakeholder or an assignee on that ticket or, be at least a collaborator on the workspace the task is attached to Users need additional permissions to access these UI fields in tasks: Assigned to: read users Workspaces: read workspaces Stakeholders: read users Referenced entities: read entities Comments: read ticket-comments
modify users	View and deactivate users. Note To be able to create and modify users, you must: be a Group Admin in a group where you are creating or modifying users or have both modify user-groups and modify user-roles
modify user-groups	Add or remove existing users from a group. Note Requires at least: modify users read groups
modify user-roles	Add or remove roles from a user. Note Requires at least: modify users read roles
modify workspace-comments	View, create, and modify comments in workspaces. Note To interact with comments in workspaces, users must at least: have read workspaces be a collaborator on that workspace
modify workspaces	View, create, and modify workspaces Note Requires additional permissions to access these features: Dashboard: read graphs Browse > *: read entities read intel-sets read files read graphs Exposure: read entities
read audit-trail	View the audit trail in the Audit view under System settings. Note To see Settings > System settings > Audit in the UI, users need at least read configurations.
read attack	View MITRE ATT&CK classifications. Users must have this permission and modify entities to be able to assign ATT&CK classifications to an entity.
read blob-uploads	View manually uploaded files. Note Different from files permissions. To see manually uploaded files at Search > Go to search and browse > Files in the UI, users must at least have read entities.
read collaborators	View collaborators of a workspace.
read configurations	View settings in Settings > System settings.
read csv-mappings	Allows user to read records in Data configuration > Data mappings, and select existing data mappings when importing CSV files.
read knowledge-packs	View knowledge packs. Note Requires additional permissions to see the contents of a knowledge pack.
read content-blocks	View packed outgoing feed packages.
read content-types	View available content types when creating feeds.
read destinations	View the list of outgoing feeds where an entity or observable is published. Destinations are displayed in the UI as a section in the Overview tab when you open an entity or observable. Note To see an entity’s or observable’s destinations in the UI, users must have at least read entities or read observables.
read discovery-rules	View discovery rules. Note To see discovery rules in the UI, users must have at least read rules.
read draft-entities	View draft entities tab in the Draft tab under Production.
read enrichers	View enrichers.
read enrichment-rules	View enrichment rules. Note To see enrichment rules in the UI, users must have at least read enrichers.
read entities	View entities. Note Requires additional permissions to see all fields and options.
read extracts	View observables. Note Requires additional permissions to see all fields and options.
read files	View files uploaded to a workspace. Note Users must be at least a collaborator on a workspace to view files attached to it.
read graphs	View graphs. Note Users must be at least a collaborator on a workspace to view graphs saved to it.
read groups	View groups. Note To see groups in the UI, users must have at least read users.
read incoming-feeds	View incoming feeds. Note Requires additional permissions to see all fields and options.
read intel-sets	View datasets. Note To see the contents of a dataset, users must have at least read entities.
read notifications	View notifications ().
read outgoing-feeds	View outgoing feeds. Note Requires additional permissions to see all fields and options.
read permissions	View the list of available permissions. Note To see the list of permissions in Settings > User management > Permissions, users must have at least read users.
read retention-policies	View data retention policies.
read roles	View roles. Note To see the permissions that a role includes, users must have read permissions
read rules	View observable and entity rules. Note Requires additional permissions to see all fields and options.
read sources	View the list of sources.
read tasks	View system jobs.
read taxii-services	View TAXII services.
read taxonomies	View the taxonomy list.
read ticket-comments	View comments on Tasks (“tickets”). Note To be able to view comments on Tasks in the UI, users must also: have at least read tickets be a stakeholder or an assignee on that ticket
read tickets	View, create, and modify Tasks (“tickets”). Note To be able to see a task in the UI, users must either: be a stakeholder or an assignee on that ticket or, be at least a collaborator on the workspace the task is attached to Users need additional permissions to access some UI fields in tasks:
read traceback-logs	View traceback logs displayed in the UI when an error occurs.
read transports	View available transport types for feeds.
read users	View the list of users.
read workspace-comments	View comments in workspaces. Note To interact with comments in workspaces, users must at least: have read workspaces be a collaborator on that workspace
read workspaces	View workspaces Note Requires additional permissions to access some features.
reset password	Allows user to force reset another user’s password. Note Also requires at least modify users.

Vestigial permissions

Intelligence Center contains a number of permissions that are related to unimplemented features. These permissions have no impact and can be assigned or unassigned without any change in platform behavior. You can therefore disregard them.

These permissions are:

• modify enrichments (different than modify enrichers or modify enrichment-rules)

• read enrichments (different than read enrichers or read enrichment-rules)

• modify kibana

• modify subscriptions

• read subscriptions

• read history-events