Using and Creating Roles for Containers

Every Carbon Black Cloud console user is assigned to a role that defines permissions. The role is assigned when you create the new user account; this assignment can be modified at any time.

Carbon Black Cloud includes four Kubernetes-related pre-defined roles that you can assign to users (or you can create custom roles: see Add a Container Role.

Kubernetes SecOps View Only
Kubernetes SecOps
Kubernetes DevOps
Kubernetes Security Developer

Kubernetes Security DevOps are responsible for the Kubernetes workload posture. Responsibilities include setting up clusters, scopes, and security policies for Kubernetes workloads. Security DevOps can monitor the health of the Kubernetes environment, investigate workloads and violations, and take appropriate actions.

Role Definitions and Recommendations

The following table describes Carbon Black Cloud permissions and recommendations for user roles for Containers.

Table 1. User Roles/Permissions Matrix - by Role
Role	Description	Permissions	Workflow
Kubernetes SecOps View Only	Monitors environment. Cannot take any actions.	View Notifications View Kubernetes Security View Images View Workloads	N/A
Kubernetes SecOps	Assess and control the workload’s attack surface from build to runtime. Focus on detecting, responding to, and preventing container runtime threads —can quickly detect runtime threads. This role is appropriate for SOC Analysts.	Dismiss Alerts View and Manage Alerts, Notes, and Tags View and Manage Notifications View and Manage API Keys Manage Users View and Manage Kubernetes Security View Images Manage Image Exceptions	Monitor and analyze Containers. See . Take action and remediate security issues. See . Triage alerts. See .
Kubernetes DevOps	Assess and control the workload’s attack surface from build to runtime. Troubleshooting and remediation of security issues. Responsible for determining the Kubernetes workload posture. Responsibilities include setting up Kubernetes policies, scopes, and clusters in the Carbon Black Cloud console. Security DevOps can monitor the health of the Kubernetes environment, investigate workloads and violations, and take appropriate actions.	Dismiss Alerts View and Manage Notifications View and Manage API Keys Manage Users View and Manage Kubernetes Security View Images Manage Image Exceptions	Set up user roles and manage users. See Roles and Users for Containers. Add clusters to the console and install Kubernetes Sensors. See Adding Clusters and Installing Kubernetes Sensors. Configure Containers. See . Monitor and analyze Containers. See . Triage alerts. See . Take action and remediate security issues. See .
Kubernetes Security Developer	Inspects a single container for security posture and compliance.	View and Manage Kubernetes Security View Images Manage Image Exceptions	Monitor and analyze Kubernetes workloads. See . Triage alerts. See .