On the Add/Edit Role page, the Permissions table shows the capabilities that can be enabled or disabled for members of the role – items that are checked are enabled and items that are not checked are disabled.
You can customize permissions to achieve exactly the level of access you want for a role.
For the most part, permissions can be divided into two categories: view permissions that allow you to see a particular page or dialog in the console, and manage permissions that allow you to create, edit, and delete managed assets, rules, and console users. Some permissions depend on others – you cannot manage something unless you can see it. If you disable View system configuration, for example, Manage system configuration is automatically disabled as well.
Checkboxes for permissions that depend upon other permissions are gray (instead of white) when they are not enabled. In addition, permissions that depend upon other permissions are indented to make the relationship between them clearer.
The Scope column indicates whether a permission is global or policy-specific. Policy-specific permissions are affected by your choice in the Scope of Policy Permissions section of the Add/Edit User Role page.
- Carefully consider any permissions changes you make, especially to the built-in Administrator role. In particular, avoid removing permissions to view and manage user accounts and roles from the Administrator role since this will make it impossible to restore access to these features without the use of special recovery commands.
- The console user interface, including pages, menus and links, is documented based on users having the full administrative permissions. Any permissions that are turned off will remove related user interface elements. Consider making users with restricted permissions aware of this possibility so that they are not confused by the absence of features described in Carbon Black App Control help.
User Role Permission Settings
In the table below, each permission is described and the dependencies for each permission are listed.
Asset |
Permission Name |
Scope |
Dependencies |
Description |
---|---|---|---|---|
Computers |
View computers |
Policy |
None |
Ability to view computer pages |
Computers |
Temporary assign computers |
Policy |
— View computers |
Ability to generate temporary Enforcement Level override codes. |
Computers |
Manage computers |
Policy |
— View computers |
Ability to manually assign computers to policies and change Enforcement Level. Ability to manage template computers. |
Computers |
Change advanced options |
Policy |
— View computers — Manage computers |
Ability to change advanced computer options such as collection of computer diagnostics and re-synchronizing. |
Files |
View files and applications |
Policy |
None |
Ability to view files and applications pages. |
Files |
Manage files |
Policy |
— View files and applications — View policies |
Ability to approve, ban, and acknowledge files. Ability to mark files as installers. Note that this does not include the ability to directly change local file state. |
Files |
Change local state |
Policy |
— View files and applications |
Ability to change local state of files on computers. |
Files |
Delete files |
Policy |
— View files and applications |
Ability to delete files on computers. |
Devices |
View devices |
Policy |
None |
Ability to view device pages. |
Devices |
Manage device rules |
Policy |
— View devices — View policies |
Ability to manage device rules. |
Policies |
View policies |
Global |
None |
Ability to view Policies page. |
Policies |
Manage policies |
Policy |
— View policies |
Ability to manage policies (changing mode, Enforcement Level, etc.) |
Policies |
Manage policy mappings |
Global |
— View policies |
Ability to manage automatic policy mapping rules. |
Software Rules |
View software rules pages |
Global |
None |
Ability to view Software Rules pages. Also allows viewing of Event Rules page for servers licensed for Carbon Black App Control Connectors for Network Security Devices. |
Software Rules |
Manage event rules |
Global |
— View software rules pages |
Ability to manage event rules. Requires separate license for the Carbon Black App Control Connectors for Network Security Devices. Note: Some event rules require other permissions for the actions they specify, such as file upload and analysis and file approval. |
Software Rules |
Manage trusted directories |
Global |
— View software rules pages |
Ability to manage trusted directories. |
Software Rules |
Manage publisher rules |
Policy |
— View policies — View software rules pages |
Ability to manage trusted publishers. |
Software Rules |
Manage trusted users |
Global |
— View software rules pages |
Ability to manage trusted users. |
Software Rules |
Manage custom/registry/memory rules |
Policy |
— View policies — View software rules pages |
Ability to manage custom, registry and memory rules. |
Software Rules |
Manage Updaters and Rapid Configs |
Global |
— View software rules pages |
Ability to enable, disable, add, and view details of software updaters and configurations for applications, and to modify configurations. |
Software Rules |
Manage custom scripts |
Global |
— View software rules pages |
Ability to manage custom definitions of what the Carbon Black App Control Server treats as scripts |
Software Rules |
Manage indicator sets |
Policy |
— View policies — View software rules pages |
Ability to enable, disable, and create exceptions for indicator sets used in advanced detection |
Reports |
View events |
Policy |
None |
Ability to view event pages. |
Reports |
View server events |
Global |
— View events |
Ability to view server events. |
Reports |
View process command lines |
Global |
— View events |
Ability to view process command lines for events. Important: Command lines may include confidential information such as passwords. This permission is not enabled by default, even for administrator accounts, and should be limited to those who require it. |
Reports |
Manage shared dashboards |
Global |
None |
Ability to manage shared dashboards. |
Reports |
View drift reports and snapshots |
Global |
None |
Ability to view snapshots, drift reports and drift report results. |
Reports |
Manage drift reports |
Global |
— View drift reports and snapshots |
Ability to manage baseline drift reports. |
Reports |
Manage snapshots |
Global |
— View drift reports and snapshots |
Ability to manage snapshots used in drift reports. |
Reports |
Manage saved views |
Global |
None |
Ability to manage saved views on all pages. |
Tools |
View alerts |
Global |
None |
Ability to view alert pages. |
Tools |
Manage alerts |
Global |
— View Alerts |
Ability to manage alerts. |
Tools |
View meters |
Global |
None |
Ability to view meters and meter results. |
Tools |
Manage meters |
Global |
— View meters |
Ability to manage meters. |
Tools |
View approval requests |
Policy |
None |
Ability to view user-generated requests for approval of blocked files and justifications of files approved by users. |
Tools |
Manage approval requests |
Policy |
— View approval requests |
Ability to manage user-generated requests for approval of blocked files and justifications of files approved by users. |
Tools |
View file uploads |
Global |
None |
Ability to view uploaded files on the Requested Files page. |
Tools |
Manage uploads of inventoried files |
Global |
— View file uploads |
Ability to initiate manual file uploads from agent computers, and to create event rules that upload files. This permission applies only to files considered “interesting” (i.e., executables and scripts) by Carbon Black App Control. |
Tools |
Manage uploads of files by pathname |
Global |
— View file uploads |
Ability to initiate manual file uploads from agent computers, and to create event rules that upload files. This permission applies to all files on agent computers, even if not in the Carbon Black App Control inventory. |
Tools |
Access uploaded files |
Global |
— View file uploads |
Ability to download files that are uploaded on the server. |
Tools |
Submit files for analysis |
Global |
— View file uploads |
Ability to submit files for analysis by network security devices, either manually or through creation of an event rule. Requires separate license for the Carbon Black App Control Connectors for Network Security Devices, unless implemented through the API. |
Notifiers |
View notifiers |
Global |
None |
Ability to view the details of blocked file notifiers. |
Notifiers |
Manage notifiers |
Global |
— View notifiers |
Ability to edit blocked file notifiers or create new ones. |
Analytics |
View external analytics reports |
Global |
None |
Ability to view and use links from the console to external analytics reports (if external analytics is enabled and configured) |
Administration |
View system configuration |
Global |
None |
Ability to view system configuration pages. |
Administration |
Manage system configuration |
Global |
— View system configuration |
Ability to manage system configuration; this includes uploading agent and rule packages to the server. |
Administration |
View login accounts and user roles |
Global |
None |
Ability to view login accounts and user roles for accounts. |
Administration |
Manage login accounts |
Global |
— View login accounts and user roles |
Ability to manage login accounts. |
Administration |
Manage user roles and mappings |
Global |
— View login accounts and user roles |
Ability to manage user roles. |
Administration |
Local login override |
Global |
None |
Ability to login with a local (App Control) account when SAML logins are enabled.You can also enable this feature on the System Configuration page for SAML logins. |
Administration |
View System Health Indicators |
Global |
None |
Ability to view the system health page and system health alerts. |
Administration |
Extend connectors through API |
Global |
None |
Ability to register and unregister connectors with the Carbon Black App Control Server through APIs so that they can send notifications and (if part of their feature set) analyze files. |
Administration |
Use Unified Management |
Global |
None |
Ability to use Unified Management features on multiple servers. |
Administration |
Configure Unified Management |
Global |
— Use Unified Management |
Ability to configure Unified Management (enable and disable, add and delete servers). This permission is built in to the Administrator (Unified ManagementUnified Management) role, and cannot be added to any other role. |