Managing roles and permissions

Basic concepts

Roles

A role is a specific configuration of permissions that is applied to one or more user accounts. A user account is authorized to view or modify certain resources in the console depending on the role assigned to it.

A user account can have only one role assigned. However, a role can be assigned to more than one user account.

A role consists of the following:

Role name: This is purely for identification and is assigned when the role is created.
Visibility: Restricts access to certain computers on the network.
Permission set: Determines the specific actions that the user account can take on computers belonging to groups defined as accessible.

Predefined roles

A Advanced EDR license always has two predefined roles. These roles cannot be edited or deleted. Any user account can be assigned these roles through the web console.

Full Control role

The first user account that is created always has the Full Control role assigned. This account enables you to take all the actions available in the console on the computers added to Advanced EDR.

Read-Only role

This role provides access to all sections of the console, but does not enable you to create, modify, or delete settings profiles, tasks, etc. That is, it provides total visibility of the environment but does not allow you to make any changes. This role is particularly suited for network administrators responsible for monitoring the network, but who do not have enough permissions to take actions such as editing settings profiles or launching on-demand scans.

Permission

A permission controls access to a specific section of the management console. There are different types of permissions that provide access to many sections of the Advanced EDR console. A specific configuration of all available permissions makes up a role, which can be assigned to one or more user accounts.

Visibility

Each user account enables you to configure the security of a subset of computers from all the computers added to the Advanced EDR console. This is determined by the account visibility.

Creating a role

Add role page

Select the Settings menu at the top of the console. Select Users from the side menu. A page opens that shows a list of all created users.
Select the Roles tab. Select Add. The Add roles page opens.
Enter a name for the role (1) and, optionally, a description (2).
Specify the visibility for the role (3).
Enable or disable permissions (4).
Click Save (5).

Limitations when creating users and roles

To prevent privilege escalation problems, users with the Manage users and roles permission assigned have the following limitations when it comes to creating new roles or assigning roles to existing users:

A user account can create only new roles with the same or lower permissions than its own.
A user account can edit only the same permissions as its own in existing roles. All other permissions remain disabled.
A user account can assign only roles with the same or lower permissions than its own.
A user account can copy only roles with the same or lower permissions than its own.

Deleting a role

Select the Settings menu at the top of the console. Select Users from the side menu.
Select the Roles tab. A list appears that shows all created roles.
Click the icon of a role to delete it. If the role you are trying to delete has user accounts assigned, the delete operation is canceled.

Copying a role

Select the Settings menu at the top of the console. Select Users from the side menu.
Select the Roles tab. A list appears that shows all created roles.
Click the icon of a role to copy it. The Copy role page opens. This page shows the settings of the copied role.
Modify the role settings. Click Save.

Modifying a role

Select the Settings menu at the top of the console. Select Users in the side menu.
Select the Roles tab. A list appears that shows all created roles.
Click the role you want to edit. The Edit role page opens.
Modify the role settings. Click Save.