On the Add/Edit Role page, the Permissions table shows the capabilities that can be enabled or disabled for members of the role – items that are checked are enabled and items that are not checked are disabled.

You can customize permissions to achieve exactly the level of access you want for a role.

For the most part, permissions can be divided into two categories: view permissions that allow you to see a particular page or dialog in the console, and manage permissions that allow you to create, edit, and delete managed assets, rules, and console users. Some permissions depend on others – you cannot manage something unless you can see it. If you disable View system configuration, for example, Manage system configuration is automatically disabled as well.

Note: For details regarding permissions and dependencies, see:  Table: User Role Permission Settings

Checkboxes for permissions that depend upon other permissions are gray (instead of white) when they are not enabled. In addition, permissions that depend upon other permissions are indented to make the relationship between them clearer.

The Scope column indicates whether a permission is global or policy-specific. Policy-specific permissions are affected by your choice in the Scope of Policy Permissions section of the Add/Edit User Role page.

Note:
  • Carefully consider any permissions changes you make, especially to the built-in Administrator role. In particular, avoid removing permissions to view and manage user accounts and roles from the Administrator role since this will make it impossible to restore access to these features without the use of special recovery commands.
  • The console user interface, including pages, menus and links, is documented based on users having the full administrative permissions. Any permissions that are turned off will remove related user interface elements. Consider making users with restricted permissions aware of this possibility so that they are not confused by the absence of features described in Carbon Black App Control help.

User Role Permission Settings

In the table below, each permission is described and the dependencies for each permission are listed.

Note: You cannot enable a permission if a dependency is not enabled.
Table 1. Permissions Settings for User Roles

Asset

Permission Name

Scope

Dependencies

Description

Computers

View computers

Policy

None

Ability to view computer pages

Computers

Temporary assign computers

Policy

— View computers

Ability to generate temporary Enforcement Level override codes.

Computers

Manage computers

Policy

— View computers

Ability to manually assign computers to policies and change Enforcement Level. Ability to manage template computers.

Computers

Change advanced options

Policy

— View computers

— Manage computers

Ability to change advanced computer options such as collection of computer diagnostics and re-synchronizing.

Files

View files and applications

Policy

None

Ability to view files and applications pages.

Files

Manage files

Policy

— View files and applications

— View policies

Ability to approve, ban, and acknowledge files. Ability to mark files as installers. Note that this does not include the ability to directly change local file state.

Files

Change local state

Policy

— View files and applications

Ability to change local state of files on computers.

Files

Delete files

Policy

— View files and applications

Ability to delete files on computers.

Devices

View devices

Policy

None

Ability to view device pages.

Devices

Manage device rules

Policy

— View devices

— View policies

Ability to manage device rules.

Policies

View policies

Global

None

Ability to view Policies page.

Policies

Manage policies

Policy

— View policies

Ability to manage policies (changing mode, Enforcement Level, etc.)

Policies

Manage policy mappings

Global

— View policies

Ability to manage automatic policy mapping rules.

Software Rules

View software rules pages

Global

None

Ability to view Software Rules pages. Also allows viewing of Event Rules page for servers licensed for Carbon Black App Control Connectors for Network Security Devices.

Software Rules

Manage event rules

Global

— View software rules pages

Ability to manage event rules. Requires separate license for the Carbon Black App Control Connectors for Network Security Devices.

Note: Some event rules require other permissions for the actions they specify, such as file upload and analysis and file approval.

Software Rules

Manage trusted directories

Global

— View software rules pages

Ability to manage trusted directories.

Software Rules

Manage publisher rules

Policy

— View policies

— View software rules pages

Ability to manage trusted publishers.

Software Rules

Manage trusted users

Global

— View software rules pages

Ability to manage trusted users.

Software Rules

Manage custom/registry/memory rules

Policy

— View policies

— View software rules pages

Ability to manage custom, registry and memory rules.

Software Rules

Manage Updaters and Rapid Configs

Global

— View software rules pages

Ability to enable, disable, add, and view details of software updaters and configurations for applications, and to modify configurations.

Software Rules

Manage custom scripts

Global

— View software rules pages

Ability to manage custom definitions of what the Carbon Black App Control Server treats as scripts

Software Rules

Manage indicator sets

Policy

— View policies

— View software rules pages

Ability to enable, disable, and create exceptions for indicator sets used in advanced detection

Reports

View events

Policy

None

Ability to view event pages.

Reports

View server events

Global

— View events

Ability to view server events.

Reports

View process command lines

Global

— View events

Ability to view process command lines for events.

Important: Command lines may include confidential information such as passwords. This permission is not enabled by default, even for administrator accounts, and should be limited to those who require it.

Reports

Manage shared dashboards

Global

None

Ability to manage shared dashboards.

Reports

View drift reports and snapshots

Global

None

Ability to view snapshots, drift reports and drift report results.

Reports

Manage drift reports

Global

— View drift reports and snapshots

Ability to manage baseline drift reports.

Reports

Manage snapshots

Global

— View drift reports and snapshots

Ability to manage snapshots used in drift reports.

Reports

Manage saved views

Global

None

Ability to manage saved views on all pages.

Tools

View alerts

Global

None

Ability to view alert pages.

Tools

Manage alerts

Global

— View Alerts

Ability to manage alerts.

Tools

View meters

Global

None

Ability to view meters and meter results.

Tools

Manage meters

Global

— View meters

Ability to manage meters.

Tools

View approval requests

Policy

None

Ability to view user-generated requests for approval of blocked files and justifications of files approved by users.

Tools

Manage approval requests

Policy

— View approval requests

Ability to manage user-generated requests for approval of blocked files and justifications of files approved by users.

Tools

View file uploads

Global

None

Ability to view uploaded files on the Requested Files page.

Tools

Manage uploads of inventoried files

Global

— View file uploads

Ability to initiate manual file uploads from agent computers, and to create event rules that upload files. This permission applies only to files considered “interesting” (i.e., executables and scripts) by Carbon Black App Control.

Tools

Manage uploads of files by pathname

Global

— View file uploads

Ability to initiate manual file uploads from agent computers, and to create event rules that upload files. This permission applies to all files on agent computers, even if not in the Carbon Black App Control inventory.

Tools

Access uploaded files

Global

— View file uploads

Ability to download files that are uploaded on the server.

Tools

Submit files for analysis

Global

— View file uploads

Ability to submit files for analysis by network security devices, either manually or through creation of an event rule. Requires separate license for the Carbon Black App Control Connectors for Network Security Devices, unless implemented through the API.

Notifiers

View notifiers

Global

None

Ability to view the details of blocked file notifiers.

Notifiers

Manage notifiers

Global

— View notifiers

Ability to edit blocked file notifiers or create new ones.

Analytics

View external analytics reports

Global

None

Ability to view and use links from the console to external analytics reports (if external analytics is enabled and configured)

Administration

View system configuration

Global

None

Ability to view system configuration pages.

Administration

Manage system configuration

Global

— View system configuration

Ability to manage system configuration; this includes uploading agent and rule packages to the server.

Administration

View login accounts and user roles

Global

None

Ability to view login accounts and user roles for accounts.

Administration

Manage login accounts

Global

— View login accounts and user roles

Ability to manage login accounts.

Administration

Manage user roles and mappings

Global

— View login accounts and user roles

Ability to manage user roles.

Administration

Local login override

Global

None

Ability to login with a local (App Control) account when SAML logins are enabled.You can also enable this feature on the System Configuration page for SAML logins.

Administration

View System Health Indicators

Global

None

Ability to view the system health page and system health alerts.

Administration

Extend connectors through API

Global

None

Ability to register and unregister connectors with the Carbon Black App Control Server through APIs so that they can send notifications and (if part of their feature set) analyze files.

Administration

Use Unified Management

Global

None

Ability to use Unified Management features on multiple servers.

Administration

Configure Unified Management

Global

— Use Unified Management

Ability to configure Unified Management (enable and disable, add and delete servers). This permission is built in to the Administrator (Unified ManagementUnified Management) role, and cannot be added to any other role.