User Roles
user management
What are the available roles and how should I assign them?
Note
Secureworks recommends you assign users the least-privileged role that allows them to perform their work in order to limit unnecessary access.
Tip
You can now create and manage custom roles using the categories and permissions detailed below to tailor access for your tenant users to your needs. For more information, see Custom Roles.
Administrator
Administrators are the most powerful users in Secureworks® Taegis™ XDR. They can access and use all features of the application, as well as manage users and security telemetry, such as integrations and Secureworks Counter Threat Unit™ (CTU).
Organizational roles well suited to the Administrator role include:
- Systems Administrator
- Partner/Product Support
Analyst
Analysts are primarily responsible for investigating alerts, searching for threats, and recommending response actions. Analysts cannot manage users. Secureworks anticipates that most users would be assigned the Analyst role.
Organizational roles well suited to the Analyst role include:
- Security Analyst
- Security Manager
- Threat Hunter
Responder
Like an Analyst, Responders can investigate alerts and search for threats, but they also have the ability to take response actions on a defined set of assets within the tenant.
Organizational roles well suited to the Responder role include:
- Incident Response Team Member
- SecOps
- Threat Hunter
Auditor
Auditors have the most limited access within XDR, as they have read-only access to the application. They can create searches and reports but cannot make changes to the data or their sources.
Organizational roles well suited to the Auditor role include:
- Customer Success Manager
- Service Delivery Executive
User Role Permissions
Agent
Agent |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Block |
|
|
|
|
Download an agent |
|
|
|
|
Isolate agents at a tenant level |
|
|
|
|
Issue reconnect |
|
|
|
|
View agent properties and status |
|
|
|
|
Assign/remove a tag for a agent |
|
|
|
|
Uninstall |
|
|
|
|
Update agent properties |
|
|
|
|
Agent Config
AgentConfig |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create new agent configurations |
|
|
|
|
Delete existing agent configurations |
|
|
|
|
Read agent configurations |
|
|
|
|
Update |
|
|
|
|
Agent Group
AgentGroup |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create new agent groups |
|
|
|
|
Delete agent groups |
|
|
|
|
View agent group properties and status |
|
|
|
|
Update agents group assignments and agent group metadata. |
|
|
|
|
Alert
Alert |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
View an alert |
|
|
|
|
Edit an alert |
|
|
|
|
Archive Configuration
ArchiveConfiguration |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create an archive configuration |
|
|
|
|
Delete an archive configuration |
|
|
|
|
View an archive configuration |
|
|
|
|
Asset
Asset |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create asset tags |
|
|
|
|
Delete assets |
|
|
|
|
Delete asset tags |
|
|
|
|
Update assets |
|
|
|
|
Isolate and integrate agents |
|
|
|
|
Update asset tags |
|
|
|
|
Audit
Audit |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
View self-created audit logs |
|
|
|
|
View tenant audit logs with partner user/email info redaction |
|
|
|
|
Client
Client |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create clients |
|
|
|
|
Delete clients |
|
|
|
|
View clients |
|
|
|
|
Update clients |
|
|
|
|
Collector
Collector |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create a collector |
|
|
|
|
Remove a collector |
|
|
|
|
Download collector files |
|
|
|
|
Download collector endpoint credentials |
|
|
|
|
Read collector properties |
|
|
|
|
Configure a collector |
|
|
|
|
Comments |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create comments |
|
|
|
|
Delete comments |
|
|
|
|
Read comments |
|
|
|
|
Update comments |
|
|
|
|
Contracted Endpoints
ContractedEndpoints |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Read contracted endpoints infomation |
|
|
|
|
Counter Measures
CounterMeasures |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Download counter measures |
|
|
|
|
View counter measures |
|
|
|
|
Data Source
DataSource |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
View data sources |
|
|
|
|
Tag a data sources |
|
|
|
|
Detection Rules
DetectionRules |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create a detection rule |
|
|
|
|
Remove a detection rule |
|
|
|
|
Permanently remove a detection rule |
|
|
|
|
Read detection rules |
|
|
|
|
Update a detection rule |
|
|
|
|
Enterprise SSO Connection
Enterprise SSO Connection |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create enterprise sso connections |
|
|
|
|
Delete enterprise sso connections |
|
|
|
|
Read enterprise sso connections |
|
|
|
|
Update enterprise sso connections |
|
|
|
|
Entity Graph
EntityGraph |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Read schema of properties in entity graph |
|
|
|
|
Write, delete, and update schema of properties in entity graph |
|
|
|
|
File
File |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Download a file |
|
|
|
|
Read a file |
|
|
|
|
Integration
Integration |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create an integration |
|
|
|
|
Remove an existing integration |
|
|
|
|
Download an integration |
|
|
|
|
View an integration properties and status |
|
|
|
|
Update an integration |
|
|
|
|
Investigation
Investigation |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Archive an investigation |
|
|
|
|
Assign an investigation to the tenant's "customer," ie to any user in the tenant |
|
|
|
|
Assign an investigation to the tenant's "partner," ie to its parent tenant |
|
|
|
|
Create a new investigation |
|
|
|
|
Delete an investigation |
|
|
|
|
Mention a tenant's "partner," ie its parent tenant, in a comment |
|
|
|
|
View an investigation |
|
|
|
|
Search for an investigation |
|
|
|
|
Update an investigation including adding comments, alerts and search results |
|
|
|
|
Notifications
Notifications |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create notifications |
|
|
|
|
Delete notifications |
|
|
|
|
Read notifications |
|
|
|
|
Update notifications |
|
|
|
|
Orchestration Action
OrchestrationAction |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Able trigger actions from investigations |
|
|
|
|
Lookup contextual information |
|
|
|
|
Trigger remediation response actions |
|
|
|
|
Orchestration Connection
OrchestrationConnection |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create an orchestration connection |
|
|
|
|
Remove an orchestration connection |
|
|
|
|
View an orchestration connection properties and status |
|
|
|
|
Modify an orchestration connection |
|
|
|
|
Orchestration Connection Method
OrchestrationConnectionMethod |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
View an orchestration connection method properties and status |
|
|
|
|
Orchestration Connector
OrchestrationConnector |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create an orchestration connector |
|
|
|
|
Remove an orchestration connector |
|
|
|
|
View an orchestration connector properties and status |
|
|
|
|
Modify an orchestration connector |
|
|
|
|
Partner Tenant
PartnerTenant |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Read partner tenant information (subscriptions, partner relationships) |
|
|
|
|
Update partner tenant information (subscriptions, partner relationships) |
|
|
|
|
Playbook
Playbook |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create a playbook |
|
|
|
|
Delete playbook properties |
|
|
|
|
Execute a playbook |
|
|
|
|
View playbook properties and results |
|
|
|
|
Modify playbook properties |
|
|
|
|
Playbook Instance
PlaybookInstance |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create a playbook instance |
|
|
|
|
Delete a playbook instance |
|
|
|
|
Execute a playbook instance |
|
|
|
|
View a playbook instance properties, executions and results |
|
|
|
|
Modify a playbook instance |
|
|
|
|
Report
Report |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create a report |
|
|
|
|
Delete an existing report |
|
|
|
|
View a report |
|
|
|
|
View all reports within the tenant env if those reports are marked as 'share with admin' |
|
|
|
|
Edit an existing report |
|
|
|
|
Search
Search |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create and save a search |
|
|
|
|
Remove an existing search |
|
|
|
|
View search results |
|
|
|
|
Update and existing search |
|
|
|
|
Tenant
Tenant |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create a tenant |
|
|
|
|
Read tenant properties |
|
|
|
|
Update a tenant |
|
|
|
|
Tenant Preference
TenantPreference |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create a tenant preference |
|
|
|
|
Delete a tenant preference |
|
|
|
|
Read a tenant preference |
|
|
|
|
Update a tenant preference |
|
|
|
|
Tenant Profile
TenantProfile |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create a tenant profile |
|
|
|
|
Read a tenant profile |
|
|
|
|
TenantProfileCseContact |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create tenant profile cse contacts |
|
|
|
|
Remove tenant profile cse contacts |
|
|
|
|
Read tenant profile cse contacts |
|
|
|
|
Update tenant profile cse contacts |
|
|
|
|
TenantProfileHealthContact |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create tenant profile health contacts |
|
|
|
|
Remove tenant profile health contacts |
|
|
|
|
Read tenant profile health contacts |
|
|
|
|
Update tenant profile health contacts |
|
|
|
|
Tenant Profile Network Info
TenantProfileNetworkInfo |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create tenant profile network information |
|
|
|
|
Remove tenant profile network information |
|
|
|
|
Read tenant profile network information |
|
|
|
|
Update tenant profile network information |
|
|
|
|
Tenant Profile Network Range
TenantProfileNetworkRange |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Create tenant profile network range |
|
|
|
|
Remove tenant profile network range |
|
|
|
|
Read tenant profile network range |
|
|
|
|
Update tenant profile network range |
|
|
|
|
User
User |
Tenant Admin |
Tenant Analyst |
Tenant Responder |
Tenant Auditor |
Invite a user to a tenant |
|
|
|
|
Create a pre registered user |
|
|
|
|
Deactivate a user |
|
|
|
|
Read a user |
|
|
|
|
Update a user's properties including assigned access roles |
|
|
|
|