This topic describes the roles you can assign to a team for each sensor group.
Analyst – This role allows the user to monitor and respond to suspicious or malicious activity on endpoints in sensor groups for which it has the role.
Analysts can be given additional, enhanced privileges on a per-user basis so that they can use special features. See Adding Enhanced Permissions for Analysts.
Unless they are Global Administrators, Analysts do not have access to data or functions for managing the server itself, such as managing users and teams, viewing and changing server settings (including sharing settings), and viewing the server dashboard.
Viewer – This role allows the user to access information, including suspicious or malicious activity, on endpoints in sensor groups for which it has the role.
Unless they are Global Administrators, Viewers cannot access Live Response (Go Live), investigations, sensor isolation or file banning. They also cannot access server management functions.
No Access – This role gives the user no access to information or management functions for the specified sensor groups. If the user does not have any higher role for any team, the only page available to them is My profile.
Some access control is applied on the page level – for example, certain pages are only visible to Global Administrators or Administrators. In other cases, access control determines the data that appears on a page and the actions that can be taken there. If users enter a URL for a page they do not have permission to view, they are redirected to the HUD page.
The following table provides more detail about privileges and access types that are available for each role.
Feature or Page
Permissions by Role
Server Dashboard
Only available to Carbon Black EDR Global Administrator or Carbon Black Hosted EDR Administrator.
Sensors
Viewers: Can view tables and details of sensors in sensor groups for which the user has Viewer access.
Analyst: Can perform actions on a sensors in sensor groups for which the user has Analyst access. Additional enhanced user permissions are necessary for isolating and uninstalling sensors and using Live Response.
Analysts can also move sensors between sensor groups if they are Analysts for both the source and destination sensor groups.
Sensor Groups
Viewers: Can view tables and details of sensor groups for which the user has Viewer access.
Analyst: Can perform certain actions involving sensor groups for which the user has Analyst access:
-
Can toggle tamper detection if the user also has enhanced permissions for tamper levels.
-
Can toggle process banning if the user also has enhanced permissions for process banning.
-
Can edit other General, Sharing, Advanced, Event Collection, Upgrade Policy settings for the group.
An Analyst cannot add or delete a sensor group.
Uninstall Sensors
Viewers: No Access
Analyst: Can uninstall sensors from the console in sensor groups for which the user is an Analyst if the user also has the enhanced permission for uninstalling sensors .
Users, Teams and Activity Audit
Only available to Carbon Black EDR Global Administrator or Carbon Black Hosted EDR Administrator.
Tamper Level
Viewer: No Access
Analyst: Can configure tamper settings for sensor groups for which the user is an Analyst if the user also has the enhanced permission for tamper levels .
HUD page
Viewer: Can view the page that is filtered to show alerts and sensors in sensor groups for which the user is a Viewer.
Analyst: Can take action on alerts.
Threat Intel Feeds
Viewer: No Access
Analyst: Can view and modify the page, including enabling and disabling actions on hit (Email Me, Create Alert, or Log to Syslog).
Triage Alerts
Viewer: Can view all binary alerts, and can view other alerts in sensor groups for which the user is a Viewer.
Analyst: Can view and take action on all binary alerts; can view and take action on other alerts in sensor groups for which the user is an Analyst.
Watchlists
Viewer: Can view watchlist results for binary searches and other searches that involve sensor groups for which the user is a Viewer.
Analyst: In addition to view access, can add, modify, and delete watchlists, and take actions including enabling and disabling email notification, log to Syslog, and alerts.
Process Search
Viewer and Analyst: Can view process search results for sensor groups for which the user has at least Viewer access.
Process Analysis
Viewer: Can view process analysis results for sensor groups for which the user has at least Viewer access.
Analyst: Can take actions for processes in sensor groups for which the user is an Analyst if the user also has the enhanced permission for that action. Actions include Isolate host, Go Live, and Ban Hash.
Binary Search (results) & Analysis (details)
Viewer: Can view all binary search results on the Search Binaries page and also details about one binary (Binary Analysis), regardless of the sensor group of the binary instance.
Analyst: Can ban hashes in the search results if the user also has the enhanced permission to ban hashes.
Live Response
Viewer: No Access.
Analyst: Can use Live Response to access and take actions on the endpoints in sensor groups for which the user is an Analyst if the user also has the enhanced permission for Live Response .
Investigations
Viewer: Can view the Investigations page. Actions are limited to Export events to CSV and Export timeline to PNG.
Analyst: Can create, delete, and modify investigations.
Isolation
Viewer: No Access.
Analyst: Can isolate endpoints and restore them from isolation in sensor groups for which the user is an Analyst if the user also has the enhanced permission for isolating sensors .
Banned Hashes
Viewer: No Access.
Analyst: Can ban hashes and remove bans if the user has the enhanced permission for banning hashes. Not restricted by sensor group.
Notifications
Viewer and Analyst: All users can view notifications on the Notifications menu and receive notification emails.
Sharing Settings
Only available to Carbon Black EDR Global Administrator or Carbon Black Hosted EDR Administrator.
Settings
Only available to Carbon Black EDR Global Administrator or Carbon Black Hosted EDR Administrator.
Profile info
All users can view and edit their own profile.
-
