Action Permissions

Current ThreatQ Version Filter

Action Permissions

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative or Maintenance
Custom Role - Action Permissions: Administrative Functions - Edit User Management

Each custom role consists of action permissions which allow you to control access to:

Administrator Functions - Controls access to the options on the settings menu such as Exports, Job Management, Notification Settings, Report Options, System Configuration, and User Management as well at the Audit Log pane in the object details page.
Artifact Management - Controls access to custom dashboards, data collections, and TQI investigations.
A user account's access to dashboards, data collections, and investigations can be further customized by the Sharing permissions assigned to them.
Objects & Context - Controls the ability to update system objects individually as well as through bulk processes.
Data Controls - Controls access to the Indicator Expiration, Data Retention Policy, Scoring, TLP, and Whitelisted Indicators tabs in the Data Controls page.
Integrations - Controls the ability to add, remove, or configure integrations as well as the ability to run operations.
Orchestration - Controls access to ThreatQ TDR Orchestrator including the ability to edit an advanced workflow or run a manual workflow.
Data Exchange - Controls access to ThreatQ Data Exchange including the ability to edit data exchange feeds.

Interdependent Permissions

Some action permissions require related permissions. For example, a user role that includes the Edit TLP permission also requires the Edit Sources permission. When you add or remove action permissions that require related permissions, ThreatQ guides you through adding or removing the related permissions. See the Interdependent Permissions section for more information.

Object Creation and Object Context Permissions

When you create an object through an object modal or an object parser/import, you can update only the context fields for which you have permission. For example, if tquser has View Only permission for Descriptions, the editable Description field is not displayed in the Add An Adversary modal or any other object creation modal.

If a user has View Only permission for Sources, system object parsers and system object creation modals default to the user’s login as the object source.

Navigating the Action Permissions Section

The Action Permissions sections in the Roles tab and the Create Role page allow you to view or update a custom role’s permissions:

View permission options - Click the arrow located to the right of a permission section to view the options for that section. Or, click the Expand All option to view the options for all sections.
Update permissions - Within an expanded permission section, check or uncheck the checkbox next to a permission option to enable or disable it. Or, you can enable/disable all the permission options within a section, by clicking the toggle to the right of the permission section name.

Action Permission Group	Permission Option	Permission Settings
Administrative Functions	Edit Exports	Controls the ability to add, edit, enable or disable exports. A user without this permission can view the Exports page and access export URLs but cannot add or change exports.
	View Job Management	Controls access to the Job Management page.
	Edit Notification Settings	Controls access to the Notification Settings page as well as the ability to edit Notification Management and Mail Server Configuration settings.
	Edit Report Options	Controls access to the Report Options page as well as the ability to update report format settings.
	Edit System Configurations	Controls access to the System Configurations page as well as the ability to edit Account Security, Proxy, and General settings.
	Edit User Management	Controls access to the User Management page as well as the ability to edit user accounts, custom user roles, and authentication settings (LDAP, SAML, and CAC/PIV SSL). In addition, this permission controls the display of the View all roles and View permissions options for your user profile.
	View Audit Log	Controls the ability to view the Audit Log pane in the object details page.
Artifact Management A user's access to dashboards, data collections, and investigations can be further customized by the Sharing permissions assigned to them.	Dashboards	Controls the ability to view, create, edit, or delete custom dashboards.
	Data Collections	Controls the ability to view, create, edit, or delete data collections.
	Investigations	This option is displayed only if your ThreatQ instance has a ThreatQ Investigations (TQI) license. Controls the ability to view, create, edit, or delete investigations.
Objects & Context	Objects	Controls the ability to: Create system objects (including investigations) by clicking the Create button or by clicking the Create <object type> link in the object Search window. Delete system objects from the Threat Library. Edit an object’s Value/Name and Type fields in the object details page. These permissions apply to all seeded and custom objects. Users with Create, Edit, Delete permissions can update only the context fields for which they have permission. See the Object Creation and Object Context Permissions section for more details.
	Individual Object Context and Actions	Controls the ability to create, edit, and delete the following information: Attributes - Object details page, object preview panel Sources - Add <object type> modal, object details page, object preview panel, Bulk Changes If a user has View Only permissions for Sources, system object parsers and system object creation modals default to the user’s login as the object source. Tags - Object details page, object preview panel Descriptions - Add object type modal, object details page, object preview panel Comments - Object details page, object preview panel Relationships - Add object type modal, object details page, object preview panel, Bulk Changes In addition, these permissions determine the user’s ability to perform the following tasks in the object details page and object preview panel: Create and edit PDF extracts of system object details Add or remove a system object from the Watchlist Edit or delete an object’s Point of Contact Edit or delete an object’s Status Edit the Score assigned to an object Edit or delete an object’s Expiration Date
	Bulk Object Management	Controls the ability to change groups of objects through the Threat Library and the Object Management page: Threat Library: Bulk Changes using the Threat Library Bulk Changes option. Bulk Manual Imports using the Indicator, Signature, Spearphish, or STIX parsers. Users can only add Signature objects via a manual import. As a result, a user without the Bulk Manual Imports permission cannot add Signature objects. Bulk Deletes using the Threat Library Bulk Delete option. Object Management Page: Editing Indicator and Object Statuses via the Indicator Statuses and Object Statuses tabs (Manage Object Statuses). Editing Indicator and Event object types via the Indicator Types and Event Types tabs (Manage Object Sub-types). Update System Attributes via the Attribute Management tab (Manage System Attributes)
Data Controls	Edit Indicator Expiration	Controls the ability to view or edit the Indicator Expiration tab in the Data Controls page. This permission does not control the ability to update expiration in the object details page or through a bulk update.
	Edit Data Retention Policy	Controls the ability to view or edit the Data Retention Policy tab in the Data Controls page. Gives users access to the data collection currently assigned to the data retention policy.
	Edit Scoring	Controls the ability to view or edit the Scoring tab in the Data Controls page. This permission does not control the ability to update scoring in the object details page or through a bulk update. To edit indicator scoring, you must also have permission to Manage Object Sub-types.
	Edit TLP	Controls the ability to view or edit the TLP tab in the Data Controls page. This permission does not control the ability to add a TLP during manual creation of an object or through a bulk update.
	Edit Whitelisting	Controls the ability to view or edit the Whitelisted Indicators tab in the Data Controls page. This permission does not control the ability to whitelist an object through the object details page or through a bulk update.
Integrations Custom role permissions control access to the pages that allow you to execute manual runs of integrations. However, custom roll permissions do not apply to the objects and object context created/ingested.	Install & Uninstall Integrations	Controls a user’s ability to: Use the Add New Integration button in the Integrations page to install integrations. Use the Uninstall button in the integration configuration page to remove an integration.
	Edit Integration Configurations	Controls a user’s ability to access an integration’s configuration page and update an integration’s configuration options.
	Run Operations	Controls a user’s ability to view the Operations pane in the object details page and apply an operation to the object. To view the Activity Log tab in the integrations configuration page, you must have the Run Operations permission.
Orchestration This option is displayed only if your ThreatQ instance has a ThreatQ TDR Orchestrator (TQO) license. Custom role permissions control access to the pages that allow you to execute manual runs of TQO workflows. However, custom roll permissions do not apply to the objects and object context created/ingested.	Edit Orchestration Workflows	Controls the ability to view TQO pages, create, edit, or delete TQO workflows, and configure Action integrations. To make full use of TQO, a user's role must include additional permissions. See the Interdependent Permissions section for more information.
	Run Manual Workflows	Controls the ability to run a manual workflow from the object details page or the Threat Library. Gives the user access to all existing workflow data collections.
Data Exchange This option is displayed only if your ThreatQ instance has a ThreatQ Data Exchange (TQX) license.	Edit Data Exchange Feeds	Controls the ability to view, create, or edit ThreatQ Data Exchange’s OpenDXL transports or TAXII server pages. Gives the user access to all existing TAXII data collections.