Current ThreatQ Version Filter
 

Sharing

ThreatQ's sharing functionality allows you to control access to data collections, dashboards, and investigations at the user level or give view-only access to all users.  You can assign permissions when you create a data collection, dashboard, or investigation and then update them at any time.

User Permission Levels

You can assign each user one of the following permission levels:

Permission Level Description  
Owner By default, the user who creates a data collection, dashboard, or investigation is designated as the owner.  However, ownership can be reassigned by the owner at any time.  If an owner selects a new owner, the original owner becomes an editor. In addition, if you delete an owner's user record, the system requires you to either reassign ownership to another user or delete the owner's data collections, dashboards, and investigations. 
Users with owner-level permission can:
  • Reassign ownership.
  • Change user and group permissions for the data collection, dashboard, or investigation.
  • Remove a user's permissions.
  • Modify or delete the data collection, dashboard, or investigation.
  • Change the name of the data collection, dashboard, or investigation. 
  • Pin an investigation to the Investigations menu.
  
Editor Editors have similar permissions to owners but cannot re-assign ownership of or delete the data collection, dashboard, or investigation.  In addition, they cannot change owner permissions. 
Users with editor-level permissions can:
  • Change or remove user and group permission-levels for the shared data collection, dashboard, or investigation.
  • Modify the data collection, dashboard, or investigation.
  • Pin an investigation to the Investigations menu.
  
Viewer Viewers can access the data collection, dashboard, or investigation but cannot change it.  In addition, they can view user permissions for data collections and investigations.  
Private If a user creates a data collection, dashboard, or investigation and does not assign permissions to a user or group, only that user (now the owner) can access it.  

User Permission Levels and User Roles

Ownership and public viewing permissions are applied to all data collections created before upgrading to version 4.54. Any data collections created by custom integrations (instead of Threat Library) are assigned ownership permissions for the custom integration client, but are not shareable. If you want to manage a data collection used by a custom integration in Threat Library in the future, you must first create it in Threat Library and then reference it in the custom integration.

Default User Roles

A user can assign any permission level to user accounts with the following user roles:

  • Maintenance Account
  • Administrative Access
  • Primary Contributor Access

However, the only permission level a user can assign to a Read Only Access user account is viewer permission.

Custom User Roles

Action permissions defined in a custom user role influence sharing permission options for dashboards, data collections, and investigations:

  • If your custom role specifies view-only access to dashboards, you can only be added to a dashboard as a viewer.
  • If your custom role specifies view-only access to data collections, you can only be added to a data collection as a viewer.
  • If your custom role specifies view-only access to investigations, you can only be added to a data investigation as a viewer.

In addition, the Sharing modal lists a view-only icon next to your name and only includes your name in searches with the Viewer filter enabled.

View-Only Permissions for All Users

ThreatQ allows you to assign view-only permissions to all users.  To do this, select a permission-level of Everybody (Public). This assigns viewer permissions to all users unless they are assigned user-level permissions that are greater.  

For example, if I have editor permissions for the Adversary Hunt data collection and the other users have viewer permissions, when Bella (the owner) grants Everybody (Public) permissions, I retain my editor permissions. Each individual viewer is now grouped together as Everybody (Public) and no longer listed individually in the Sharing modal's Who has access list.

View-only sharing permissions for all users take precedence over action permissions defined in a custom user role. For example, even if your custom user role gives you Create, Edit, Delete permissions for data collections, you cannot edit or delete a data collection with a permission level of Everybody (Public).

Sharing Notifications

The ThreatQ Notification Center alerts you about data collection, dashboard, or investigation permission changes that affect you.  As such, you receive a notification when:

  • A user shares a data collection, dashboard, or investigation with you.
  • A user changes your permissions to owner, editor, or viewer.
  • A data collection, dashboard, or investigation you own has been shared with another user.
  • Your permissions to a data collection, dashboard, or investigation have been removed.
  • A user requests access to an investigation you own.

See the Sharing Notifications topic for more details.

Permission Conversion

When you upgrade to version 4.54, ThreatQ updates your existing permissions as follows:

  • Data Collections - For an existing data collection, the creator is automatically assigned owner permissions.  All other users are assigned Everybody (Public) permissions.   
  • Dashboards -
    • All users are assigned viewer permissions for ThreatQ's  default dashboards and these permissions cannot be changed.
    • All other user-created dashboards are assigned permissions based on the previous permission model.
    • Dashboard creators have owner permissions. 
    • If a dashboard was shared with a user, the user retains the previously granted editor or viewer permissions.
  • Investigations - Maintenance Account, Administrative Access, and Primary Contributor Access users are given editor permissions for all existing investigations that have a Visibility of Shared.  Read Only Access users receive viewer permissions.

If a user that created a data collection, dashboard, or investigation was deleted prior to your upgrade to 4.54/4.55, the corresponding object is assigned to the most recently created admin or super user.

Permission Levels and Integrations

User-managed integrations use data collections created and maintained in the Threat Library.  As such, user and group permission levels control access to these data collections.

Client-managed integrations are managed through the API. As such, user and group permissions do not control a client's ability to view, add, update or delete these data collections.

Legacy, Client-Managed Data Collections

For existing, client-managed data collections, the user who created it is assigned owner-level permissions.  All other users are assigned view-only access through Everybody (Public) group permissions.

Client-Managed Integrations

Through the API, clients have full access to all data collections (view, add, update, and delete). As a result, the new permission levels (owner, editor, viewer) only apply when authenticating with username and password credentials (for example, as a user accessing the user interface) as opposed to authenticating with client credentials.

Legacy, User-Managed Data Collections

For each existing saved data collection, the user who created it has owner-level permissions. All other users have view access through the Everybody (Public) group permission.

Air Gapped Data Sync (AGDS) and Investigation Sharing

The AGDS export process does not include data collections or dashboards, but it can include investigations if the following command is included and set to Y:

--include-investigations=Y

See the Air Gapped Data Sync (AGDS) section for more information.