Each user of the Carbon Black App Control Console has one or more user roles. A user role is a collection of permissions, each of which allows the user to view specified information or manage specified actions in the console. Usually, these permissions map to specific pages in the console.

For a permission that involves information about or actions affecting agent-managed computers, a role can be configured to restrict permissions to specified policies.

You can create as many role- and policy-specific permission sets as you need. Once roles are created, you can assign or remove them as needed, giving each user just the permissions they need at any time. You can make these assignments manually or use AD-mapping for automatic role assignment.

Note: For example, your organization might divide responsibility for IT support or security so that different people support different types of computers (desktops, servers, point-of-sale systems, etc.). However, you might divide responsibilities by region. With role-based access and policy definitions, you can configure Carbon Black App Control user accounts so that their privileges apply only to those computers they are responsible for. In addition, you can define the level of access each user has to Carbon Black App Control features, limiting some user to viewing information while allowing others to create and modify rules, configurations, and other Carbon Black App Control resources.

For user accounts created in the console, roles are assigned on the Add Login Account page and can be changed on the Edit Login Account page. The following table summarizes the default privileges for the built-in User Roles:

Table 1. Built-in User Roles and their default capabilities

User Role

Capabilities Summary

Administrator (Unified Management)

Access to all features. This is the only role that has permission to configure Unified Management. This permission cannot be added to any other role.


Access to almost all features; does not enable permission to:

  • Manage uploads (any type) or access uploaded files
  • Extend connectors through API
  • View process command lines
  • Use (or configure) Unified Management

Can add or remove privileges from any user, including itself.


  • Access to most features.

    Does not enable permission to:

  • View process command lines
  • View (or manage) file uploads (or access uploaded files)
  • Manage system configuration
  • Manage login accounts (can view their own account)
  • Manage user roles and mappings
  • Extend connectors through API
  • Use (or configure) Unified Management


View-only access to information on most table, report, and details pages; does not enable permission to:

  • View process command lines
  • View approval requests
  • View file uploads
  • View system configuration
  • View login accounts and user roles
  • View system health indicators
  • View certain advanced details on Computer Details page (Policy Override tab, CLI command )

ReadOnly users can make the following modifications:

  • Can create personal dashboards with existing portlets only.
  • Can modify their own password and page view defaults through the User Settings interface.

User (Unified Management)

All permissions for a ReadOnly user plus can use Unified Management features.

Built-in user roles cannot be deleted, but the privileges of the Administrator, PowerUser and ReadOnly roles can be edited to enable or disable access to features. In addition, the roles themselves can be disabled.

Administrators can create new user roles with custom privileges (including the ability to create accounts and roles). See Managing Console User Roles for instructions on creating user roles and customizing account privileges.