Intelligence Center permissions#

Permissions are granular controls on user access to features and data. They’re predefined, and assigned to users through roles.

Permissions are usually named with the convention <verb> <object>, where:

  • <verb> describes the action allowed, and

  • <object> describes the object being acted on.

Control access through groups, roles, and permissions#

What a user is allowed to access is determined by a combination of:

  • Groups

    Groups are used to organize users and defines the resources that its members are allowed to access.

  • Roles

    Roles are sets of permissions that determine the tasks a user assigned that role can perform.

The following flow chart is an example of how to decide what to assign to your user to give a certain level of access:

Permissions diagram

Groups#

Groups allow you to name the resources it’s members are allowed to access.

You can set for a group:

Allowed sources#

Allowed sources are sources that members of the group can access data from.

An allowed source has two properties:

  • the source

  • a TLP color

Sources can be:

  • Groups. By default, a group has itself as an allowed source. You can add other groups as allowed sources to give group members access to intelligence created by members of that group.

  • Incoming feeds. Entities and observables that are ingested through an incoming feed have their source automatically set to the name of the incoming feed.

  • Enrichers. When an observable or entity is enriched, the resulting entities and observables have their source set to the name of the enricher used.

TLP colors set for a source determines the most restrictive TLP (inclusive) that that members of this group can access. By default, this is set to RED for a source. This means that group members can access objects with TLP colors WHITE, GREEN, AMBER, and RED.

Tip

Setting an allowed source’s to a less restrictive TLP color would prevent group members from accessinng objects with more restrictive TLP colors. For example, setting the TLP color for an allowed source to GREEN would mean that objects with TLP colors AMBER and RED cannot be accessed by group members.

Allowed roles#

Groups must specify a set of roles that group members can be assigned to.

Setting allowed roles for a group does not actually assign the role to group members. You must first add roles to the allowed roles of a group, then explicitly assign those roles to the user.

Roles#

Roles are sets of permissions that grant read or modify access to a given resource.

Tip

modify permissions grant both read and modify permissions for a resource.

A role can contain any number of permissions. Users inherit their permissions from the roles that they are assigned.

Table of permissions#

To see a full list of permissions, go to Settings Settings > User management > Permissions in the UI while signed in as a user with at least read permissions.

Tip

All -modify permissions already include -read level permissions.

For example, modify users permissions include read users permissions, so you can assign a user modify users without read users.

Note

Permission dependencies

  • Some permissions depend on other permissions.

    For example, a user must first have read-tickets permissions in order to be able to read task comments with read ticket-comments permisisons.

Permission

Description

install knowledge-packs

Install knowledge packs.

Note

To install knowledge packs in the UI, also requires read knowledge-packs permissions.

lock/unlock users

Unlock or deactivate user accounts.

Note

Also requires modify users.

modify blob-uploads

Manually upload files in the UI through + > Upload.

Note

Different from files permissions.

modify collaborators

Add and remove users in workspaces.

Note

Also requires read workspaces.

modify configurations

Modify the following settings in EclecticIQ Intelligence Center UI:

  • Settings Settings > System settings

  • Settings Settings > STIX and TAXII > STIX

modify csv-mappings

Allows user to read, create, and modify records in Data configuration Data configuration icon > Data mappings.

This allows you to:

  • Select existing data mappings when importing CSV files

  • Create data mapping and then select them when importing CSV files

modify knowledge-packs

View, create, and modify knowledge packs.

modify discovery-rules

View, create, modify, enable/disable, and run discovery rules.

Note

Requires additional permissions to access these fields:

  • Search query: For autocomplete to work in the UI, requires read entities.

  • Correlated workspaces: read workspaces

modify draft-entities

View, create, and modify draft entities

modify enrichers

Edit, enable, and disable enrichers

modify enrichment-rules

View, create, modify, enable/disable, and run enrichment rules.

Note

Requires additional permissions to access these fields:

  • Source: read sources

  • Enrichers: read enrichers

modify entities

View, create, and modify entities.

Note

Requires additional permissions to see all fields and options.

The following is a non-exhaustive list of min. permissions:

  • read extracts to see related observables

  • read attack to see MITRE ATT&CK classifications

  • read sources to see sources

modify extracts

View, create, and modify observables

modify files

Users can:

  • attach and remove files to a workspace

  • pin and unpin attached files to the front page of a workspace.

Note

To perform these tasks on files attached to a workspace, users must:

  • be an owner or collaborator on a workspace

  • have at least these permissions:

    • read workspaces

    • read graphs

modify graphs

View, create, and modify graphs

Note

To save a graph, users must:

  • have at least read workspaces

  • be at least a collaborator on a workspace

modify groups

View, create, and modify user groups.

Note

To be able to see and modify groups on the UI, users must either:

  • be Group Admin for at least one group

  • or have at least read configurations

To manage additional group properties, users require at least:

  • read users to manage a group’s user list

  • read sources to manage a group’s Allowed sources

  • modify roles to manage a group’s Allowed roles

modify incoming-feeds

View, create, modify, and run incoming feeds.

Note

To create a new incoming feed in the UI, users must also have at least:

  • read transports

  • read content-types

modify intel-sets

View, create, and modify datasets.

Note

To view dataset, users also require at least:

  • read entities

To create datasets, users also require at least:

  • read entities

  • read workspaces

modify outgoing-feeds

View, create, modify, and run outgoing feeds

Note

To create a new outgoing feed, users must also have at least:

  • read transports

  • read content-types

  • read intel-sets

For feeds that create packages (e.g. feeds that use the HTTP download transport type), users must also have at least read content-blocks to see available package endpoints.

modify retention-policies

View, create, modify, and run data retention policies.

Note

To create policies, users must also have at least:

  • read entities

  • read extracts

  • read sources

  • read taxonomies

modify roles

View, create, and modify roles.

Note

To create and modify roles, users must also have at least:

  • read permissions

To be able to see and modify roles on the UI, users must either:

  • be Group Admin for at least one group

  • or have at least read configurations

modify rules

View, create, modify, enable/disable, and run:

Note

To create and modify rules, users may need corresponding permissions to configure these rule properties:

  • Criteria > Source: read sources

  • Criteria > Observable types: read extracts

  • Criteria > Link name filter: read extracts

  • Actions > Add tags: read taxonomies

  • Actions > Add to dataset: read intel-sets

  • Actions > Merge similar: read entities and membership to group(s) with corresponding Allowed sources.

modify tasks

View and terminate system jobs.

Note

To interact with system jobs in the UI through Settings Settings > System jobs, users must have at least read configurations.

modify taxii-services

View, create, and modify TAXII services.

Note

To interact with TAXII service configuration in the UI through Settings Settings > STIX and TAXII > TAXII, users must also have at least read configurations.

modify taxonomies

View, create, and modify taxonomies.

modify ticket-comments

View, create, and modify comments on Tasks Task icon (“tickets”).

Note

To be able to add comments on Tasks Task icon in the UI, users must also:

  • have at least read tickets

  • be a stakeholder or an assignee on that ticket

modify tickets

View, create, and modify Tasks Task icon (“tickets”).

Note

To be able to see a task in the UI, users must either:

  • be a stakeholder or an assignee on that ticket

  • or, be at least a collaborator on the workspace the task is attached to

Users need additional permissions to access these UI fields in tasks:

  • Assigned to: read users

  • Workspaces: read workspaces

  • Stakeholders: read users

  • Referenced entities: read entities

  • Comments: read ticket-comments

modify users

View and deactivate users.

Note

To be able to create and modify users, you must:

  • be a Group Admin in a group where you are creating or modifying users

  • or have both modify user-groups and modify user-roles

modify user-groups

Add or remove existing users from a group.

Note

Requires at least:

  • modify users

  • read groups

modify user-roles

Add or remove roles from a user.

Note

Requires at least:

  • modify users

  • read roles

modify workspace-comments

View, create, and modify comments in workspaces.

Note

To interact with comments in workspaces, users must at least:

  • have read workspaces

  • be a collaborator on that workspace

modify workspaces

View, create, and modify workspaces

Note

Requires additional permissions to access these features:

  • Dashboard: read graphs

  • Browse > *:

    • read entities

    • read intel-sets

    • read files

    • read graphs

  • Exposure: read entities

read audit-trail

View the audit trail in the Audit view under System settings.

Note

To see Settings Settings > System settings > Audit in the UI, users need at least read configurations.

read attack

View MITRE ATT&CK classifications.

Users must have this permission and modify entities to be able to assign ATT&CK classifications to an entity.

read blob-uploads

View manually uploaded files.

Note

Different from files permissions.

To see manually uploaded files at Search Search icon > Go to search and browse > Files in the UI, users must at least have read entities.

read collaborators

View collaborators of a workspace.

read configurations

View settings in Settings Settings > System settings.

read csv-mappings

Allows user to read records in Data configuration Data configuration icon > Data mappings, and select existing data mappings when importing CSV files.

read knowledge-packs

View knowledge packs.

Note

Requires additional permissions to see the contents of a knowledge pack.

read content-blocks

View packed outgoing feed packages.

read content-types

View available content types when creating feeds.

read destinations

View the list of outgoing feeds where an entity or observable is published.

Destinations are displayed in the UI as a section in the Overview tab when you open an entity or observable.

Note

To see an entity’s or observable’s destinations in the UI, users must have at least read entities or read observables.

read discovery-rules

View discovery rules.

Note

To see discovery rules in the UI, users must have at least read rules.

read draft-entities

View draft entities tab in the Draft tab under Production.

read enrichers

View enrichers.

read enrichment-rules

View enrichment rules.

Note

To see enrichment rules in the UI, users must have at least read enrichers.

read entities

View entities.

Note

Requires additional permissions to see all fields and options.

read extracts

View observables.

Note

Requires additional permissions to see all fields and options.

read files

View files uploaded to a workspace.

Note

Users must be at least a collaborator on a workspace to view files attached to it.

read graphs

View graphs.

Note

Users must be at least a collaborator on a workspace to view graphs saved to it.

read groups

View groups.

Note

To see groups in the UI, users must have at least read users.

read incoming-feeds

View incoming feeds.

Note

Requires additional permissions to see all fields and options.

read intel-sets

View datasets.

Note

To see the contents of a dataset, users must have at least read entities.

read notifications

View notifications (Notification bell).

read outgoing-feeds

View outgoing feeds.

Note

Requires additional permissions to see all fields and options.

read permissions

View the list of available permissions.

Note

To see the list of permissions in Settings Settings > User management > Permissions, users must have at least read users.

read retention-policies

View data retention policies.

read roles

View roles.

Note

To see the permissions that a role includes, users must have read permissions

read rules

View observable and entity rules.

Note

Requires additional permissions to see all fields and options.

read sources

View the list of sources.

read tasks

View system jobs.

read taxii-services

View TAXII services.

read taxonomies

View the taxonomy list.

read ticket-comments

View comments on Tasks Task icon (“tickets”).

Note

To be able to view comments on Tasks Task icon in the UI, users must also:

  • have at least read tickets

  • be a stakeholder or an assignee on that ticket

read tickets

View, create, and modify Tasks Task icon (“tickets”).

Note

To be able to see a task in the UI, users must either:

  • be a stakeholder or an assignee on that ticket

  • or, be at least a collaborator on the workspace the task is attached to

Users need additional permissions to access some UI fields in tasks:

read traceback-logs

View traceback logs displayed in the UI when an error occurs.

read transports

View available transport types for feeds.

read users

View the list of users.

read workspace-comments

View comments in workspaces.

Note

To interact with comments in workspaces, users must at least:

  • have read workspaces

  • be a collaborator on that workspace

read workspaces

View workspaces

Note

Requires additional permissions to access some features.

reset password

Allows user to force reset another user’s password.

Note

Also requires at least modify users.