Skip to main content

Team Management and Roles

RBAC | Manage permissions

S
Written by Sergey Bayrachny

Organizations with an Enterprise-level subscription plan initially have 1 or 2 Manager accounts assigned by SOC Prime. Depending on the type of subscription, Managers have access to Basic RBAC or Complete RBAC functionality.

Basic RBAC

The Manager invites and removes users on the Team Management page in Platform Settings

Team Management

On this page, users with a Manager role can manage the accounts of other users from their organization.

They can do the following:

  • Add team members by sending direct invitations to their emails

  • Assign Roles (sets of permissions) to team members. To view permissions related to a role or create a new role, go to the Roles page

  • Revoke invitation

  • Remove team members

  • Terminate the session of a team member

Note: to see the statistics about the team members go to the Dashboard page.

Add Team Members

  1. Click Invite User.

  2. In the modal that appears:

    1. Enter the email address of the person you want to invite. Your email domain and the invited person's domain should be identical.

    2. Click Invite User.

  3. The person will receive an invitation by email, and the status Invited will be displayed in the Status column.

Revoke Invitation

You can revoke an invitation sent to a person if they haven’t registered yet.

  1. Click the three-dot icon next to the selected user.

  2. Select Revoke Invitation.

  3. In the modal that appears, confirm your action.

  4. The invitation will be revoked, and the person will receive an email notification. The status Invitation Revoked will be displayed in the Status column.

Remove Team Members

To remove a user from your team:

  1. Click the three-dot icon next to the selected user.

  2. Choose Deactivate Account.

  3. In the modal that appears, provide a reason for deactivating (this information will be provided to the deactivated user) and click Deactivate Account.

  4. The account will be deactivated. The deactivated user will receive an email notification about deactivation.

Terminate Session

To terminate the session of a user on your team:

  1. Click the three dots icon next to the selected user.

  2. Choose Terminate Session.

  3. In the modal that appears, confirm your action.

Complete RBAC

Access control on the SOC Prime Platform is managed in the following way:

  • The Manager invites, removes, and assigns roles to users on the Team Management page in Platform Settings

  • The Manager views the privileges of each role and creates new roles on the Roles page in Platform Settings

Team Management

On this page, users with a Manager role can manage the accounts of other users from their organization.

They can do the following:

  • Add team members by sending direct invitations to their emails

  • Assign Roles (sets of permissions) to team members. To view permissions related to a role or create a new role, go to the Roles page

  • Revoke invitation

  • Remove team members

  • Terminate the session of a team member

Note: to see the statistics about the team members go to the Dashboard page.

Add Team Members

  1. Click Invite User.

  2. In the modal that appears:

    1. Enter the email address of the person you want to invite. Your email domain and the invited person's domain should be identical.

    2. Select the role to be assigned to them.

    3. Click Invite User.

  3. The person will receive an invitation by email, and the status Invited will be displayed in the Status column.

Revoke Invitation

You can revoke an invitation sent to a person if they haven’t registered yet.

  1. Click the three-dot icon next to the selected user.

  2. Select Revoke Invitation.

  3. In the modal that appears, confirm your action.

  4. The invitation will be revoked, and the person will receive an email notification. The status Invitation Revoked will be displayed in the Status column.

Assign Roles

To assign a role to a user on your team, click the role selection dropdown and select an option. The options include system roles and custom roles (if they were created). To learn more about system roles and creating custom roles, see the Roles section.

You can also set a default role to be assigned to all new users added to your organization.

Notes:

  • You can’t change your role. This action can be done only by another user in your organization with the same permissions as yours.

  • An organization has access to Roles only if the complete RBAC is included in the subscription plan. If your plan has basic RBAC, your organization gets 1 or 2 Manager roles assigned by SOC Prime but cannot use system or custom roles.

Remove Team Members

To remove a user from your team:

  1. Click the three-dot icon next to the selected user.

  2. Choose Deactivate Account.

  3. In the modal that appears, provide a reason for deactivating (this information will be provided to the deactivated user) and click Deactivate Account.

  4. The account will be deactivated. The deactivated user will receive an email notification about deactivation.

Terminate Session

To terminate the session of a user on your team:

  1. Click the three dots icon next to the selected user.

  2. Choose Terminate Session.

  3. In the modal that appears, confirm your action.

Roles

This page lists all the Roles that exist in the current organization.

Roles come in two types:

  • System: default Roles:

    • Manager. Full access to all platform features and can manage other users and their permissions

    • Threat Hunter. Actions with premium content and reverse translation available. Not permitted to set up integration with the organization’s SIEM/XDR for automation features

    • Detection Engineer. Full access to all platform features but can’t manage other users and their permissions

    • Analyst. Can only view & hunt free and unlocked content. Restricted from making any changes or performing actions that could alter the system's configuration or data

  • Custom: roles created by a user with permission to create Roles. They can be created by copying an existing role or from scratch

Note:

The old permission levels that existed before were migrated in the following way:

  • View Only → Analyst

  • Can Unlock → Detection Engineer

  • Manager (old) → Manager (new)

Role Configuration

Role configuration lets you define the access permissions described below.

Threat Detection Marketplace

Unlock Content

Permission to unlock Premium rules using your organization's balance across the SOC Prime Platform.

Premium Sigma limit

Optional. The total number of Premium rules all users with this particular role can unlock. Use this parameter if you want to limit the use of your organization's Premium rule balance for a certain group of your users.

Deploy Content

Control if the role can deploy content:

  • Enabled. The role can deploy content from the rule's page in Threat Detection Marketplace, via Uncoder AI, and in Automation as well as run Jobs in Automation

  • Disabled. The role cannot deploy content

Hunt

Control if the role can hunt (drill down to a platform and launch queries on it):

  • Enabled. The role can use the hunting functionality in Threat Detection Marketplace (the Hunt button on the Hunt page and the Search button on the code tab off a rule's page) and Attack Detective

  • Disabled. The role cannot use the hunting functionality

Save Rules to Repo

Control if the role can save (fork, delete) content to a Custom Repository:

  • Enabled. The role can save (fork, delete) content to a Custom Repository

  • Disabled. The role cannot save (fork, delete) content to a Custom Repository

Content Lists

Control the level of the Content Lists permission of a role:

  • View Only. The role can view a Content List and its content, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Content List as well as edit or delete their own Content Lists or Content Lists shared across their team

  • Administration. The role can view, edit, or delete Content Lists of other users on their team including those Content Lists that are not shared

Jobs and Inventory

Control the level of the Jobs and Inventory permission of a role:

  • View Only. The role can view Jobs and Inventory, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Job or Inventory configuration for a Data Plane as well as edit or delete their own Jobs/Inventory configurations or Jobs/Inventory configurations created by other members of their team

Uncoder AI

Reverse Translations

Control if the role can use the reverse translation balance of your organization:

  • Enabled. The role has access to the reverse translation balance

  • Disabled. The role doesn't have access to the reverse translation balance

Platform Settings

Tenants

Control the level of the Tenants permission of a role:

  • View Only. The role can view a Tenant, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Tenant as well as edit or delete their own Tenants or Tenants created by other members of their team

Data Planes

Control the level of the Data Planes permission of a role:

  • View Only. The role can view a Data Plane, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Data Plane as well as edit or delete their own Data Planes or Data Planes shared across their team

  • Administration. The role can view, edit, or delete Data Planes of other users on their team including those Data Planes that are not shared

Repositories

  • View Only. The role can view a Repository and its content, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Repository as well as edit or delete their own Repositories or Repositories shared across their team

  • Administration. The role can view, edit, or delete Repositories of other users on their team including those Repositories that are not shared

Integrations

Control the level of the Integrations permission of a role:

  • View Only. The role can view an Integration, but cannot create, edit, or delete it

  • Create/Edit. The role can create an Integration as well as edit or delete their own Integrations or Integrations shared across their team

  • Administration. The role can view, edit, or delete Integrations of other users on their team including those Integrations that are not shared

Custom Field Mapping

Control the level of the Custom Field Mapping permission of a role:

  • View Only. The role can view a Custom Field Mapping profile, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Custom Field Mapping profile as well as edit or delete their own profiles or profiles shared across their team

  • Administration. The role can view, edit, or delete Custom Field Mapping profiles of other users on their team including those profiles that are not shared

Filters

Control the level of the Filters permission of a role:

  • View Only. The role can view a Filter, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Filter as well as edit or delete their own Filters or Filters shared across their team

  • Administration. The role can view, edit, or delete Filters of other users on their team including those Filters that are not shared

Presets

Control the level of the Presets permission of a role:

  • View Only. The role can view a Preset, but cannot create, edit, or delete it

  • Create/Edit. The role can create a Preset as well as edit or delete their own Presets or Presets shared across their team

  • Administration. The role can view, edit, or delete Presets of other users on their team including those Presets that are not shared

Search Profile

Control the level of Search Profile permission of a role:

  • View Only. The role can view a Search Profile, but cannot create, edit, copy, or delete it

  • Create/Edit. The role can create a Search Profile as well as edit, copy, or delete their own Search Profile or a Search Profile shared across their team

  • Administration. The role can view, edit, or delete Search Profiles of other users on their team including those profiles that are not shared

API Access

This permission allows users to generate personal API keys and access the API functionality.

SSO Settings

Control if the role can configure and enforce Single Sign-On for your organization:

  • Enabled. The role has access to the Single Sign-On settings

  • Disabled. The role doesn't have access to the Single Sign-On settings

User Management

Permission to invite, remove, and assign roles to users.

Manage User Roles

Permission to create, copy, and remove user roles.

Share repo with SOC Prime

Permission to grant SOC Prime access to custom repositories created by your organization.

Add or Copy a Role

  1. Click the Add Role button on the Roles page or the copy icon next to an existing role.

  2. In the modal that appears, give the Role a name and provide a description. If you're copying an existing Role, don't forget to edit these fields.

  3. Set the permissions according to your needs.

  4. Click the Add Role button.

Once a custom Role is created, you can edit it. System Roles are uneditable.

Delete a Role

  1. Click the delete icon next to the selected Role.

  2. Confirm the action in the modal that appears.

If a Role is deleted, the users it was assigned to will get the Analyst Role.

Did this answer your question?