Current ThreatQ Version Filter

Data Access Permissions

Data Access Permissions work in conjunction with the Objects action permission to control access by object type (for example, Indicator, Adversary, Event, Campaign).

For each object type, you can assign one of the following permission levels:

  • Create, Edit, Delete
  • View Access Only
  • No Access

Object-type permissions override the Objects permission assigned to the role. For example, you can create a role with Create, Edit, Delete permissions for Objects but specify a View Only data access permission for event objects.

Availability and Scope

Data Access Permissions:

  • Apply only to custom roles
  • Are not available for default roles (Administrator, Maintenance, Primary Contributor, Read Only)

ThreatQ allows you to assign data access permissions for seeded and custom system object types.

How the Objects Permission and Object-Type Permissions Interact

The available object-type permission options depend on the role’s Objects permission:

Objects Permission Available Object-Type Permissions
View Only No Access, Create, Edit, Delete
Create, Edit, Delete No Access, View Access Only

Tips and Tricks

  • Object-type permissions override the Objects permission.
  • If an object-type permission is removed, the Objects permission applies to that object type. For example, if you remove View Access Only permission for adversary objects, the Object permission of Create, Edit, Delete now applies to adversary objects.
  • If an object-type permission is set to the same level as the Objects permission, the object-type entry is removed because it is redundant. For example, if you change the Objects permission to Create, Edit, Delete, ThreatQ removes Create, Edit, Delete permission for indicators.

    If most object types are set to the same permission level, ThreatQ prompts you to update the Objects permission to match. Example: If the Objects permission is set to Create, Edit, Delete but most object types are View Access Only, ThreatQ prompts you to switch Objects to View Access Only and retain exceptions.

Permission Conflicts

If an object-type permission conflicts with an Action Permission, ThreatQ resolves the conflict and notifies you.

Examples:

  • If Indicator access is set to View Access Only, related permissions (such as Expiration Date or Score) are downgraded to View Only.
  • If Indicator access is set to No Access, related permissions are disabled.
  • Increasing an Action Permission (for example, Expiration Date from View Only to Create/Edit/Delete) automatically updates the related object-type permission.

System Object Access Rules

Basic Search

Search results include only object types for which the user has:

  • Create, Edit, Delete, or
  • View Access Only

The Create <object type> link appears only if the user has Create, Edit, Delete permission for that object type.

Object Details and Relationships

An object’s Details page is accessible only if the user has Create, Edit, Delete or View Access Only permission for that object type.

An object type appears in the Relationships section only if the user has access to that object type.

System Object Imports

ThreatQ allows you to parse files to import system objects. You must have Create, Edit, Delete permission for the object type to import it or create relationships via import. If an import contains object types or context you lack Create/Edit/Delete permission for, the import fails.

Examples:

  • Signatures - Adding a signature object to ThreatQ requires a manual import. As a result, the Create menu only displays the Signature option if your user role includes:
    • Create, Edit, Delete Action permissions for Objects OR Create, Edit, Delete
    • Data Access Permissions for Signatures Permission to Perform Bulk Manual Import.
  • Events - You can add event objects via the spearphish parser. To do so, your user roles must include the Perform Bulk Manual Import permission.
  • STIX Objects - For STIX imports, you must have Create, Edit, Delete permission for at least one STIX object type.

Threat Library

You can perform bulk changes only for object types for which you have Create, Edit, Delete permission. You can export Threat Library search results sets only for object types for which you have Create, Edit, Delete or View Only Access.

Feature-Specific Behavior

Dashboards

Your data access permissions control the display of object types in dashboard widgets as well as the display of default and custom dashboards.

Custom Dashboard Examples:

  • If you have No Access to Events, you cannot view the Event Analytics dashboard.
  • If you have No Access to Adversary objects, you cannot view the Adversary Analytics dashboard.
  • If you have No Access to, Files you cannot view the Files Analytics dashboard.
  • If you have No Access to indicators you cannot view the Indicator Analytics dashboard

Dashboard Widget Examples:

  • If you have No Access to Tasks, you cannot view the Tasks widget in the Overview dashboard.
  • If you have No Access to Indicators you cannot view the following Overview dashboard widgets:
    • Overview of Intelligence by Score
    • Incoming Intelligence
    • Watchlist Activity
    • Tasks

Dashboards may appear empty if all widget object types are set to No Access.

Sharing dashboards does not override data access permissions.

Exports

Authenticated exports are filtered based on the user’s data access permissions. Anonymous exports generated via access tokens return full results.

Export configurations can include only object types the user can access.

Imports

Adding a signature object to ThreatQ requires a manual import. As a result, the Create menu only displays the Signature option if your user role includes:

  • Create, Edit, Delete permissions for Objects
  • Create, Edit, Delete Data Access Permissions for Signatures
  • Permission to Perform Bulk Manual Import.

Similarly, you can add event objects via the spearphish parser. To do so, your user roles must include the Perform Bulk Manual Import permission

ThreatQ Investigations (TQI)

Data Access Permissions also control your access to object types in TQI. For example:

  • Evidence boards show only object types the user can access.
  • Objects with No Access can be added to an investigation but cannot be committed or removed.
  • Related objects appear only if the user has access to them.

Integrations

Feeds and workflows ingest objects regardless of user permissions.