Sharing Investigations
Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Artifact Management - Investigations
You can share an investigation you have created with one or more users as well as set their permission level for the investigation.
Sharing Permission Levels
You can set permission levels for individual users within your organization as well as assign all users to the Viewer role. Options include:
| Permission Level | Description | Notes |
|---|---|---|
| Viewer (Can View) |
User can view the investigation. | You can use the Everybody option to assign the Viewer role to all users. |
| Editor (Can Edit) |
User can view and edit the investigation. | While you can assign multiple users to the Editor role, this must be performed one user at a time. You also cannot assign all users (Everybody group) to the Editor role. |
| Owner (Make Owner) |
Owner User can view, edit, close, and share the investigation with others. |
There can only be one owner for an investigation. If you assign another user as the owner of your investigation, your permissions will automatically be updated to Editor. |
Sharing Status Icon
The Share(d) button displayed depends on your permission level and the sharing status of the investigation.
| Permission Level | Shared with Others? | Share(d) Button |
|---|---|---|
| Owner | No |  |
| Owner, Editor | Yes |  |
| Viewer | Yes |  |
Sharing an Investigation from the Investigations Landing Page
- Navigate to the Investigations landing page and locate the investigation you intend to share.
- Click on the vertical ellipses, located at the top-right of the investigation card, and select Share.
The Sharing window allows you to select the user to which you want to grant access.
- Click the arrow next to the
icon to select the user's permission level.
If you are granting access to all users, you must select the Can View option. You can only assign editing permission to individual users, not to all users.
If you assign owner permissions to another user, your permissions automatically change to editor-level.
- Use the search field to locate and select the user you intend to share the investigation with.
You can also use the Everybody (Public) option. This option grants view-only access to all users.
The user is now listed in the Who has access list.
- Click the Apply button to save the user's permission level.
Sharing an Investigation from the Evidence Board
- Open an investigation and click on the Share button, located to the right of the search, on the Evidence Board.
The Sharing window will open.
- Click the arrow next to the icon to select the user's permission level.
If you are granting access to all users, you must select the Can View option. You can only assign editing permission to individual users, not to all users.
If you assign owner permissions to another user, your permissions automatically change to editor-level.
- Use the search field to locate and select the user you intend to share the investigation with.
You can also use the Everybody (Public) option. This option grants view-only access to all users.
The user is now listed in the Who has access list.
- Click the Apply button to save the user's permission level.
Unsharing an Investigation
You can remove an individual's access if you are the owner of an investigation.
- Access the Sharing window from either the investigation's landing page card or from the Evidence Board.
- Locate the user to remove under the How has Access section and click on the red trashcan located in the right column.
- Click on Apply to save your sharing settings.
Reassigning Ownership when Deleting an Investigation Owner
In the event where an investigation owner's account is deleted from the ThreatQ platform, the administrator performing the delete will alerted that the account selected for deletion is the owner of one or more investigations, data feeds, and data collections. The adminstrator will be prompted to reassign ownership to another user before proceeding with the account deletion.
