General Permissions
Console uses Roles Based Access Control (RBAC) to authorize users to various Console functions. The permissions to perform certain operations or view certain tags and endpoints are assigned to a role. Users are assigned roles and through those role assignments, the users acquire permissions for their Console activities.
General Permissions
You may enable or disable tabs and certain functionality within those tabs based upon the permissions that you grant to a specific role. To enable a permission place a check mark next to it. Remove the check mark to disable that permission. The following permissions are available:
Logs
| Field | Description |
|---|---|
| Display Logs Tab | Enables the Logs tab. |
| View Date/Time Column | Grants the ability to view data in the Date/Time column. |
| View Endpoint Column | Grants the ability to view data in the Endpoint column. |
| View User Column | Grants the ability to view data in the User column. |
| View Message Type Column | Grants the ability to view data in the Message Type column. |
| View Message Column | Grants the ability to view data in the Message column. |
Reports
| Field | Description |
|---|---|
| Display Reports tab | Enables the Reports tab. |
| Create Reports | Grants the ability to create reports. |
| Export Reports | Grants the ability to export reports. |
| Change Permissions of Built-in Reports | Grants the ability to change the permissions of the built-in reports. |
Results - You may enable or disable the following columns from displaying for users assigned to a role.
| Field | Description |
|---|---|
| Display Results Tab | Enables the Results tab. |
| View Date/Time Column | Grants the ability to view data in the Date/Time column. |
| View Endpoint Column | Grants the ability to view data in the Endpoint column. |
| View Owner Column | Grants the ability to view data in the Owner column. |
| View User Column | Grants the ability to view data in the User column. |
| View Data Type Column | Grants the ability to view data in the Identity Type column. |
| View Match Column | Grants the ability to view data in the Identity Match column. |
| View Match Quantity Column | Grants the ability to view data in the Match Quantity column. |
| View Location Column | Grants the ability to view data in the Location column. |
| View Location Type Column | Grants the ability to view data in the Location Type column. |
| View Action Column | Grants the ability to view data in the Action column. |
| View Classification Column | Grants the ability to view data in the Classification column. |
| View Assignee Column | Grants the ability to view data in the Assignee column. |
| View Workflow Status Column | Grants the ability to view data in the Workflow Status column. |
| View Database Column Names | Grants the ability to view data in the Database column names. |
| View Primary Key Data | Grants the ability to view primary key data. |
| View Location ACL | Grants the ability to view data in the ACL section of the results details. |
| Allow Classify | Grants the ability to classify results. |
-
Security Administration
Field Description Create User Grants the ability to create new users from the Users page. Remove User Grants the ability to delete a user from the Users page. Recover Password Grants the ability to change a users password without knowing their current password. Change Password Grants the ability to change user passwords from the Users page. Lock / Unlock User Grants the ability to lock and unlock a user from the Users page. Assign Role Grants the ability to assign a role to a user. You must also have the Remove Role permission when granting the Assign Role permission. Assign All Roles Grants the ability to see all roles, except the Administrator role, from the Users page. Does not allow the user to assign the administrator role unless the user is a member of that role. Without this permission, the user can only see the roles to which he is assigned. Edit Role Grants permission to edit a role from the Roles page. Remove Role Grants the ability to unassign a role from a user. You must also have the Assign Role permission when granting the Remove Role permission. Change General Permissions Grants the ability to change general permissions within a role from the Roles page. Change Tags Permissions Grants the ability to change tags permissions within a role from the Roles page. View Users Displays the Users page and grants the ability to view data in the Users columns (All Users and Console Users) in a report. View Roles Displays the Roles page and grants the ability to view the Roles to which a user is assigned when viewing a user on the Users page. Also grants the ability to view data in the Roles columns (Console Roles) in a report. -
- View Roles - Displays the Roles page and grants the ability to view the Roles to which a user is assigned when viewing a user on the Users page. Also grants the ability to view data in the Roles columns (Console Roles) in a report.
Service Tasks
Field Description Manage All Service Tasks Displays the Service Tasks page and grants the ability to view all service tasks created by any user. To manage an existing service task or create a new service task, you must also have the specific corresponding service task permission. Manage Own Service Tasks Displays the Service Tasks page and grants the ability to view only those service tasks created by the logged in user. To create a new service task, you must also have the specific corresponding service task permission. Manage Data Clean Up Grants the ability to manage the Data Clean Up service task. Manage Database Maintenance Grants the ability to manage the Database Maintenance service task. Manage Endpoints Merging Grants the ability to manage the Endpoints Merging service task. Manage Importing Grants the ability to manage the Importing service task. Manage Prune Endpoints Grants the ability to manage the Prune Endpoints service task. Manage Purge Endpoint Activity Grants the ability to manage the Purge Endpoint Activity service task. Manage Purge Logs Grants the ability to manage the Purge Logs service task. Manage Purge Match Previews Grants the ability to manage the Purge Match Previews service task. Manage Purge Matches Grants the ability to manage the Purge Matches service task. Manage Purge Messages Grants the ability to manage the Purge Messages service task. Manage Purge Results Grants the ability to manage the Purge Results service task. Manage Replication Grants the ability to manage the Replication service task. Manage Run Workflow Rules Grants the ability to manage the Run Workflow Rules service task. Manage Synchronize AD Users Grants the ability to manage the Synchronize AD Users service task. Manage Synchronize Tags Grants the ability to manage the Synchronize tags service task. Manage Trace Log Cleanup Grants the ability to manage the Trace Log Cleanup service task. Manage Tune Reports Grants the ability to manage the Tune Reports service task. Manage Update Data Cache Grants the ability to manage the Update Data Cache service task. Manage Update Policy States Grants the ability to manage the Update Policy States service task. -
Tags Editing
Field Description Create Root Tags Grants the ability to create a root tag. Without this permission, the user is only able to create nested tags. Create Simple Grants the ability to create a Simple tag. Create IP Range Grants the ability to create an IP Range tag. Create LDAP Query Grants the ability to create an LDAP Query tag. Create Filter Tag Grants the ability to create a filter tag. Allow All Endpoints in Filter Tags When a user is granted this permission and the user creates a filter tag, all endpoints that match the criteria are added to the tag, but the user is only able to see those endpoints to which they have permissions. When this permission is not granted, the filter tag only contains those endpoints to which the user has permissions. When a user has this permission granted or revoked, the existing filter tags created by that user are reevaluated. When revoking the permission, all endpoints are removed from the affected filter tags and the Synchronize Tags service task is set to "Execute Now". When granting the permission, no endpoints are removed from the affected filter tags and the Synchronize Tags service task is set to "Execute Now." -
Various
Field Description Edit or Remove Endpoint Grants the ability to edit, remove and merge endpoints, and to unregister an endpoint. Map Data Grants the ability to add, edit and remove Map Data. Delete Data Grants the ability to delete rows from the results tab. Modify Active Directory Settings Grants the ability to change the AD settings. Exclude Data from Import Grants the ability to exclude rows from being stored in the Console database. Manage Policies Grants the ability to create and manage policies. The user is only able to access those policies that they create. Remediation Actions Grants the ability to perform actions such as shred or ignore on results data. Search Now Grants the ability to perform a remote search of an endpoint. Gather Data Grants the ability to perform a gather data on an endpoint. Update Host Name Grants the ability to use the Update the Host Name option. Uninstall Agent software Grants the ability to remotely uninstall the Agent software from an endpoint. Reset Profile Password Grants the ability to reset the profile password on an endpoint. Delete Search History Grants the ability to delete search history via the Delete Search History right-click menu option. Delete Endpoint Ignore Lists Grants the ability to delete endpoint ignore lists via the Delete Ignore Lists right-click menu option. Enable Support Mode Grants the ability to enable support mode via the Support Mode right-click menu option. Schedule Export Grants the ability to schedule the exporting of a report. Manage Application Settings Displays the Application Settings page. Manage Endpoint Updates Displays the Agent Updates page and grants the ability to update Agents. Manage Cloud Authentication Displays the Cloud Authentication page and grants the ability to manage the Cloud storage. Manage Global Ignore Lists Displays the Global Ignore Lists page and grants the ability to manage the global ignore lists. Manage Workflows Displays the Workflows tab and Grants the ability to manage the workflows. Discovery Teams Displays the Discovery Teams page and grants the ability to view and manage Discovery Teams. Sensitive Data Types Grants the ability to add, edit, remove, import and export sensitive data types. Without this permission, you may still edit and assign those sensitive data types you have been granted explicit permissions to on the Sensitive Data Types Detail page. View Audit Log Displays the Messages page. Upload License File Enables the Upload License button on the Licenses page. Access Uploads Grants the ability to save and delete data that has been uploaded from an endpoint via the right click menu on the Endpoint Status Details Uploads tab. Web Api Grants the ability to access the Web API methods in the Web API. - Various