Understanding permissions

Manage users and roles

  • Enabled: The account user can create, delete, and edit user accounts and roles.

  • Disabled: The account user cannot create, delete, or edit user accounts or roles. The user can view registered users and account details, but not the list of roles created.

Assign licenses

  • Enabled: The account user can assign and remove licenses for the managed computers.

  • Disabled: The account user cannot assign or remove licenses, but can see whether computers have licenses assigned.

Modify computer tree

  • Enabled: The account user has full access to the group tree, and can create and delete groups, as well as moving computers to groups already created.

  • Enabled with permission conflict: Because of the inheritance mechanism that applies to the computer tree, any changes made to the tree structure can result in a change to the settings profiles assigned to the affected devices. For example, in cases where the administrator does not have permission to assign settings profiles, if they move a computer from one group to another, the web console will show a warning indicating that, because of the computer move operation and the inheritance mechanism applied, the settings profiles assigned to the computer that was moved might have changed (even if the administrator does not have permission to assign settings profiles). See section Manual and automatic assignment of settings profiles

  • Disabled: The account user can view the group tree and the settings profiles assigned to each group, but cannot create new groups or move computers.

Add, discover, and delete computers

  • Enabled: The account user can deploy the installer to computers on the network and add them to the console. They can also delete computers from the console and configure all aspects related to the discovery of unmanaged computers: assign and revoke the discovery computer role, edit discovery settings, launch an immediate discovery task, and install the Cytomic agent remotely from the list of discovered computers.

  • Disabled: The account user cannot download the installer, nor deploy it to computers on the network. Neither can the user delete computers from the console or access the computer discovery feature.

Modify network settings (proxies and cache)

  • Enabled: The account user can create new network settings profiles, edit or delete existing ones, and assign them to computers in the console.

  • Disabled: The account user cannot create new network settings profiles, nor delete existing ones. Neither can the user change the computers these settings profiles are assigned to.

Configure per-computer settings (updates, passwords, etc.)

  • Enabled: The account user can create new per-computer settings profiles, edit or delete existing ones, and assign them to computers in the console.

  • Disabled: The account user cannot create new per-computer settings profiles, nor edit or delete existing ones. Neither can the user change the computers these settings profiles are assigned to.

Configure remote control

  • Enabled: The account user can configure remote access to Windows devices. This permission is assigned from the Cytomic console and is executed from Cytomic Orion.

  • Disabled: The Windows computers on the network cannot be remotely managed from the Cytomic Orion web console.

Remote computer control

  • Enabled: The account user can remotely access the Windows computers on the network they have permissions on.

  • Disabled: The account user cannot remotely access computers on the network.

Restart and repair computers

  • Enabled: The account user can restart workstations and servers from computer lists. They can also remotely reinstall the Advanced EDR software on Windows computers.

  • Disabled: The account user cannot restart computers or remotely reinstall the Advanced EDR software.

Isolate computers

  • Enabled: The account user can isolate and deisolate Windows and macOS computers.

  • Disabled: The account user cannot isolate computers.

Configure security for workstations and servers

  • Enabled: The account user can create, edit, delete, and assign security settings profiles for workstations and servers.

  • Disabled: The account user cannot create, edit, delete, or assign security settings profiles for workstations and servers.

If you disable this permission, the View security settings for workstations and servers permission appears.

View security settings for workstations and servers

This permission is accessible only if you disable the Configure security settings for workstations and servers permission.

  • Enabled: The account user can only view the security settings profiles created, as well as the settings profiles assigned to a computer or group.

  • Disabled: The account user cannot view the security settings profiles created nor access the settings profiles assigned to computers.

View detections and threats

  • Enabled: The account user can access the widgets and lists available on the Security dashboard accessible from the Status top menu, as well as creating new lists with custom filters.

  • Disabled: The account user cannot access the widgets and lists available on the Security dashboard accessible from the Status top menu, nor create new lists with custom filters.

Access to the features related to the exclusion and unblocking of threats and unknown items is governed by the Exclude threats temporarily (malware, PUPs, and blocked items) permission.

Disinfect

  • Enabled: The account user can create, edit, and delete scan and disinfection tasks.

  • Disabled: The account user cannot create new scan and disinfection tasks, nor edit or delete existing ones. The user can only view those tasks and their settings.

Search for and manage IOCs

  • Enabled: The account user can access the import, export, delete, and search options of the IOC gallery section.

  • Disabled: The account user cannot access the import, export, delete, or search options of the IOC gallery section.

Exclude threats temporarily (malware, PUPs, and blocked items)

  • Enabled: The account user can block/unblock and exclude/allow all types of items in the process of classification (malware, PUPs, and unknown items).

  • Disabled: The account user cannot block/unblock or exclude/allow malware, PUPs, or unknown items in the process of classification.

To enable a user to Exclude threats temporarily (malware, PUPs, and blocked items), the View detections and threats permission must be enabled.

Configure patch management

  • Enabled: The account user can create, edit, delete, and assign patch management settings profiles to Windows, macOS, and Linux computers.

  • Disabled: The account user cannot create, edit, delete, or assign patch management settings profiles to Windows, macOS, or Linux computers.

If you disable this permission, the View patch management settings permission appears.

View patch management settings

This permission is accessible only if you disable the Configure patch management permission.

  • Enabled: The account user can only view the patch management settings profiles created as well as the settings profiles assigned to a computer or group.

  • Disabled: The account user cannot view the patch management settings profiles created or assigned to a computer or group.

Install, uninstall, and exclude patches

  • Enabled: The account user can create patch installation, uninstallation, and exclusion tasks, and access these lists: Available patches, End-of-Life programs, Installation history, and Excluded patches.

  • Disabled: The account user cannot create patch installation, uninstallation, or exclusion tasks.

View available patches

This permission is accessible only if you disable the Install, uninstall, and exclude patches permission.

  • Enabled: The account user can access the following lists: Patch management status, Available patches, End-Of-Life programs, and Installation history.

  • Disabled: The account user cannot access these lists: Patch management status, Available patches, End-Of-Life programs, or Installation history.

Configure vulnerability assessment

  • Enabled: The account user can create, edit, delete, and assign vulnerability assessment settings profiles to Windows, macOS, and Linux computers.

  • Disabled: The account user cannot create, edit, delete, or assign vulnerability assessment settings profiles to Windows, macOS, or Linux computers.

If you disable this permission, the View vulnerability assessment settings permission appears.

View vulnerability assessment settings

This permission is accessible only if you disable the Configure vulnerability assessment permission.

  • Enabled: The account user can only view the vulnerability assessment settings profiles created as well as the settings profiles assigned to computers or groups.

  • Disabled: The account user cannot view the vulnerability assessment settings profiles created, nor access the settings profiles assigned to computers.

View available patches

This permission is accessible only if you disable the Configure patch management permission.

  • Enabled: The account user can access the following lists: Vulnerability assessment status, Available patchesby computers, and End-of-Life programs.

  • Disabled: The account user cannot access these lists: Vulnerability assessment status, Available patches by computers, or End-of-Life programs.

Configure program blocking

  • Enabled: The account user can create, edit, delete, and assign program blocking settings profiles to Windows workstations and servers.

  • Disabled: The account user cannot create, edit, delete, or assign program blocking settings profiles to Windows workstations and servers.

If you disable this permission, the View program blocking settings permission appears.

View program blocking settings

This permission is accessible only if you disable the Configure program blocking permission.

  • Enabled: The account user can only view the program blocking settings profiles created, as well as the settings profiles assigned to computers or groups.

  • Disabled: The account user cannot view the program blocking settings profiles created nor access the settings profiles assigned to computers.

Configure authorized software

  • Enabled: The account user can create, edit, delete, and assign authorized software settings profiles to Windows workstations and servers.

  • Disabled: The account user cannot create, edit, delete, or assign authorized software settings profiles to Windows workstations and servers.

If you disable this permission, the View authorized software settings permission appears.

View authorized software settings

This permission is accessible only if you disable the Configure authorized software permission.

  • Enabled: The account user can only view the authorized software settings profiles created, as well as the settings profiles assigned to a computer or group.

  • Disabled: The account user cannot view the authorized software settings profiles created, nor access the settings profiles assigned to computers on the network.

Configure indicators of attack (IOA)

Enabled: The account user can create, edit, delete, and assign indicators of attack (IOA) settings profiles.

  • Disabled: The account user cannot create, edit, delete, or assign indicators of attack (IOA) settings profiles.

  • If you disable this permission, the View indicators of attack (IOA) settings permission appears.

View indicators of attack (IOA) settings

This permission is accessible only if you disable the Configure indicators of attack (IOA) permission.

  • Enabled: The account user can only view the indicators of attack (IOA) settings profiles created, as well as the settings profiles assigned to computers or groups.

  • Disabled: The account user cannot view the indicators of attack (IOA) settings profiles created nor access the settings profiles assigned to computers.

Configure Cytomic Data Watch

  • Enabled: The account user can create, edit, delete, and assign Cytomic Data Watch settings profiles to Windows computers.

  • Disabled: The account user cannot create, edit, delete, or assign Cytomic Data Watch settings profiles to Windows computers.

View Cytomic Data Watch settings

This permission is accessible only if you disable the Configure sensitive data search, inventory, and monitoring permission.

  • Enabled: The account user can only view the Cytomic Data Watch settings profiles created, as well as the settings profiles assigned to computers or groups.

  • Disabled: The account user cannot view the Cytomic Data Watch settings profiles created, nor access the settings profiles assigned to computers on the network.

Search for data on computers

  • Enabled: The account user can access the Searches widget to search for files by their name and content across the corporate network.

  • Disabled: The account user cannot access the Searches widget.

View personal data inventory

  • Enabled: The account user can access these lists: Files with personal data and Computers with personal data, and these widgets: Files with personal data, Computers with personal data, and Files by personal data type.

  • Disabled: The account user cannot access these lists: Files with personal data or Computers with personal data, or these widgets: Files with personal data, Computers with personal data, or Files by personal data type.

Delete and restore files

  • Enabled: The account user can access the Delete option from the context menu available on the Files with personal data list to delete and restore files.

  • Disabled: The account user cannot access the Delete option from the context menu available on the Files with personal data list. The user cannot delete or restore files.

Configure computer encryption

  • Enabled: The account user can create, edit, delete, and assign encryption settings profiles.

  • Disabled: The account user cannot create, edit, delete, or assign encryption settings profiles.

View computer encryption settings

This permission is available only if you disable the Configure computer encryption permission.

  • Enabled: The account user can only view the computer encryption settings profiles created, as well as the encryption settings profiles assigned to computers or groups.

  • Disabled: The account user cannot view the encryption settings profiles created, nor access the encryption settings profiles assigned to computers.

Access recovery keys for encrypted drives

  • Enabled: The account user can view the recovery keys for computers that have storage devices encrypted and managed by Advanced EDR.

  • Disabled: The account user cannot view the recovery keys for computers that have encrypted storage devices.

Access advanced security information

  • Enabled: The account user can access the Cytomic Insights (from the top menu Status, left panel Cytomic Insights). However, the Data Access Control application included in the tool is not visible with this permission.

  • Disabled: Access to the Cytomic Insights is prevented.

Access file access information

  • Enabled: The account user can access the Cytomic Insights (from the top menu Status, left panel Cytomic Insights). The Data Access Control application is also accessible with this permission.

  • Disabled: Access to the Cytomic Insights is prevented.

Access advanced Cytomic Data Watch information

  • Enabled: The account user can access the Cytomic Data Watch extended console (from the top menu Status, left panel Cytomic Insights).

  • Disabled: The account user cannot access the Cytomic Data Watch extended console (from the top menu Status, left panel Cytomic Insights).

Configure MDR

  • Enabled: The account user can create, edit, and delete MDR settings profiles for all computers on the network.

  • Disabled: The account user cannot create, edit, or delete MDR settings profiles for all computers on the network.

If you disable this permission, the View MDR settings permission appears.

View MDR settings

This permission is accessible only if you disable the Configure MDR permission.

  • Enabled: The account user can only view MDR settings profiles.

  • Disabled: The account user cannot view MDR settings profiles.