Every Carbon Black Cloud user is assigned a role. User roles contain varying sets of permissions that specify available views and actions.

There are two kinds of user roles: pre-defined, built-in roles that Carbon Black Cloud supplies, and custom roles that you create. This section describes these roles and how to manage them.

Note: You can also manage roles using the User Management API.

Pre-defined Built-in Roles

The Carbon Black Cloud console comes with the following pre-defined, built-in roles to assign to your users.For a list and description of Kubernetes roles, see Using and Creating Roles for Containers.

Role Description
View All Views pages, exports data, and adds notes and tags. This role is suitable for new users or users in an oversight capacity.

Permissions include:

  • View dashboard data
  • Investigate alerts and view analysis
  • View endpoints, workloads, policies, reputations
Level 1 Analyst Triages alerts and places assets in or out of quarantine.

Permissions include:

  • View and quarantine devices
  • Analyze and dismiss alerts
  • Provide determination feedback
Note: Providing determination feedback is available for Carbon Black XDR and Carbon Black Cloud Enterprise EDR customers only.
Level 2 Analyst Initiates Live Response sessions to effect change on files and registry entries.

Users can also effect change on endpoints or workloads through Live Response, file deletion, and quarantine.

Permissions include all Analyst 1 permissions in addition to:

  • Manage background scans
  • Delete hashes from endpoints or workloads
Level 3 Analyst Manages applications and certificates and uses all Live Response features, including process execution, memory dump, and removal from endpoints.

Permissions include all Analyst 2 permissions in addition to:

  • Live Query access
  • Live Response access
  • Approve/Ban applications
  • Manage trusted certs
System Admin Users are responsible for daily admin activities including adding users, managing sensors, and enabling bypass. Users in this role cannot change global settings, delete files, or use Live Response.
Super Admin

Users have all permissions, including console setup and configuration, Live Response, and policy management, API keys, and group rules.
Table 1. Built-in Legacy Roles
Role Description
View Only - Legacy View only; cannot take actions.
Live Response Admin - Legacy Live Response Admin. Full administrator rights; can view and take action on alerts, and use Live Response to remediate issues on endpoints or workloads.
Admin - Legacy Full administrator rights; can view and take action on alerts and use Live Response to remediate issues on endpoints or workloads.
Note: Legacy roles are currently available but will eventually be phased out.

Custom Roles

If the pre-defined, built-in roles do not satisfy your requirements, you can create custom roles and define specific permissions for those roles. See Add a Custom Role