ThreatConnect System Roles and Permissions

Overview

A user’s System role in ThreatConnect^® determines the System-level permissions that they have on their ThreatConnect instance. These permissions cover access and functionalities on each of the following screens:

• System Settings
• Account Settings
• TC Exchange™ Settings
• Organization Settings
• Organization Config

This article defines the System roles provided in ThreatConnect, including the access and permissions each role has on each tab of the listed screens. See ThreatConnect Owner Roles and Permissions for information on Organization roles and Community roles.

System Role Definitions and Permissions

Administrator

Definition

The System role of Administrator is also known as the System Administrator, or Sys Admin. This role has the highest level of permissions, including full access to all System and Organization settings and configuration within the ThreatConnect instance.

The Administrator role is typically used for administration purposes, but can perform all other functions, such as creating Indicators and Groups, viewing and adding dashboards, adding and modifying Workflow Cases, and adding and running Playbooks, within their home Organization (i.e., the Organization to which their account belongs).

Permissions

The following permissions assume that the Administrator has an Organization role of Organization Administrator, which is the Organization role that should be assigned to Administrators.

• System Settings: Full
• Account Settings: Full
• TC Exchange Settings: Full
• Organization Settings
  • Home Organization: Full
  • Other Organizations: Full
• Organization Config
  • Home Organization: Full
  • Other Organizations: Full

Operations Administrator

Definition

An Operations Administrator is a limited System Administrator account with read-only access at the System level and full administrative permissions at the Organization level. Operations Administrators can make administrative and configuration changes to Organizations, such as creating, deleting, and updating user accounts, and can add, modify, and remove Communities and Sources. Only Administrators and Operations Administrators can create accounts with System-level permissions (that is, accounts with a System role other than User or Read Only User). However, Operations Administrators may not create Administrator accounts.

Permissions

The following permissions assume that the Operations Administrator has an Organization role of Organization Administrator, which is the Organization role that should be assigned to Operation Administrators.

• System Settings: Read Only
• Account Settings: Full
• TC Exchange Settings: None
• Organization Settings
  • Home Organization: Full
  • Other Organizations: No permissions on the Apps tab; Full permissions on all other tabs
• Organization Config
  • Home Organization: Full
  • Other Organizations: Full

Accounts Administrator

Definition

An Accounts Administrator is a limited administrative account that has read-only access at the System and Organization levels; can create and modify, but not delete, Organizations; and can add Organizations to Communities and Sources.

Permissions

The following permissions assume that the Account Administrator has an Organization role of Standard User, which is the Organization role that should be assigned to Account Administrators.

• System Settings: Read Only
• Account Settings: Read, edit, and modify permissions on the Organizations tab; permissions to add Organizations to Communities on the Communities/Sources tab; Read Only permissions for all other tabs.
• TC Exchange Settings: None
• Organization Settings
  • Home Organization: Read Only permissions on all tabs except the Apps tab, in which an Accounts Administrator can run Jobs. In On-Premises or Dedicated Cloud instances, Accounts Administrators can create user accounts with a System role of User or Read Only User, as well as TAXII Users, on the Membership tab.
  • Other Organizations: None
• Organization Config
  • Home Organization: Read Only
  • Other Organizations: None

Community Leader

Definition

A Community Leader is a limited administrative account that has read-only access at the System and Organization levels. The main use case for a Community Leader is for read-only viewing of all Organizations in the System (i.e., on the ThreatConnect instance) in order to make informed requests to System Administrators (e.g., request changes to the System configuration or request creation of new Communities and Sources). For example, an MSSP with multiple clients in a single instance could use a Community Leader to have read-only visibility into all System administration pages for each client.

Permissions

The following permissions assume that the Community Leader has an Organization role of Standard User, which is the Organization role that should be assigned to Community Leaders.

• System Settings: Read Only
• Account Settings: Read Only
• TC Exchange Settings: None
• Organization Settings
  • Home Organization: Read Only permissions on all tabs except for the Apps tab, in which a Community Leader can run Jobs.
  • Other Organizations: None
• Organization Config
  • Home Organization: Read Only
  • Other Organizations: None

Super User

Definition

A Super User is an account that enables users on multitenant instances to easily view and manage all of their customers’ data from a single user account. Super Users do not have any access or permissions at the System level, but do have full data-level, administrative, and configuration permission at the Organization level for all Organizations on the ThreatConnect instance. Super Users may view, create, edit, and delete data (dashboards, posts, threat intelligence, Workflow, and Playbooks) in all Organizations on the ThreatConnect instance. They also can administrate and configure all Organizations, including creating, deleting, and updating user accounts and adding, modifying, and deleting Organization-level variables, metrics, Attribute types, Indicator exclusion lists, and Security Labels.

Permissions

The following permissions reflect that the Super User has an Organization role of Organization Administrator, as this is the only Organization role that can be assigned to Super Users.

• System Settings: None
• Account Settings: None
• TC Exchange Settings: None
• Organization Settings
  • Home Organization: Full
  • Other Organizations: Full
• Organization Config
  • Home Organization: Full
  • Other Organizations: Full

User

Definition

A User is an account that does not have any access or permissions at the System level. User accounts are typically given to analysts, Playbook developers, App developers, and others who need to assess threats, make intelligence-based recommendations, or conduct security operations for their company. The Organization-level access and permissions for a User account, as well as the User's access to threat intelligence, the ThreatConnect Workflow functionality, and Playbooks, are determined by the User's Organization role. Users have access only to the Organization to which they belong in the System.

Permissions

The following permissions assume that the User has an Organization role of Standard User; however, Users can be assigned any Organization role. Having an Organization role of Organization Administrator will provide a User with Full permissions on all tabs of the Organization Settings and Organization Config screens for their home Organization.

• System Settings: None
• Account Settings: None
• TC Exchange Settings: None
• Organization Settings
  • Home Organization: Read Only permissions on all tabs except for the Apps tab, in which a User can run Jobs. On the Membership tab, the User will see only their account listed in the table. Information about other users in the Organization will not be visible. If the User has an Organization role of Organization Administrator, then they will have Full permissions across the Organization Settings screen.
  • Other Organizations: None
• Organization Config
  • Home Organization: Read Only
  • Other Organizations: None

Read Only User

Definition

A Read Only User is a user account that can only view existing data in the Organization(s) to which it belongs. Read Only Users do not have any access or permissions at the System level. Customers may create an unlimited number of Read Only User accounts in an Organization for free. All Read Only Users have an Organization role of Read Only User or Read Only Commenter.

Permissions

The following permissions assume that the Read Only User has an Organization role of Read Only User or Read Only Commenter, which are the only Organization roles that may be assigned to Read Only Users.

• System Settings: None
• Account Settings: None
• TC Exchange Settings: None
• Organization Settings
  • Home Organization: Read Only
  • Other Organizations: None
• Organization Config
  • Home Organization: Read Only
  • Other Organizations: None

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
TAXII™ is a trademark of The MITRE Corporation.

20098-01 v.03.A