In Code42, roles are made up of permissions. To give security personnel at your company the correct permissions they need to do their work with Incydr, you must assign them the right Code42 roles. For example, you'll want to assign security analysts a role that lets them do things like set up alerts and create cases. On the other hand, if you want to give Incydr access to your CISO or Chief Privacy Officer, you may only want to grant them read-only access.
While there are many Code42 roles you can assign that provide permissions for a broad range of Code42 capabilities, there are only a small set of roles you need to assign for users of Incydr. This article describes these roles.
- Assign roles so that users have the lowest level of privilege needed to perform their jobs. Only assign the Customer Cloud Admin role to the "super user" administrator who you want to have all possible permissions.
- After assigning roles, test to confirm that users can perform their required tasks and can access the data they need. To learn which permissions on roles allow users access to particular Incydr features, see Permissions for Incydr.
How to assign roles
To assign roles to Incydr users, go to Administration > Environment > Users, select a user, and then select Edit from the action menu in the upper-right corner.
For more details, see Manage user roles.
Job function roles for Incydr
Some roles in Code42 describe a job function, like Insider Risk Admin, while others describe a feature set, like Audit Log Viewer. You can use combinations of these roles to customize access given to users.
Following are the job function roles to assign to Incydr users. If you decide to add more roles on top of one of these roles, do so with caution; the more roles a user is assigned, the more power that user has in your Code42 environment. In most cases, you only need to assign a single job function role to fulfill the needs of an Incydr user.
For details on all roles, including their permissions, see the Roles reference.
Insider Risk Admin
The Insider Risk Admin has read and write access to all Incydr functionality. For example, they can work with the High Risk Employees list, Departing Employees list, Forensic Search, alerts, and cases. Typically the person assigned this role is also the administrator responsible for managing your team of insider risk analysts.
The Customer Cloud Admin must assign this role. Once the role is assigned, the Insider Risk Admin in turn assigns roles to Incydr users, such as the Insider Risk Analyst and Insider Risk Read Only roles.
If you have assigned the Security Center User role to administrators or analysts who use Incydr, we recommend reassigning them either the Insider Risk Admin or Insider Risk Analyst role instead, depending on their responsibilities. These roles are designed specifically for users of Incydr and only contain permissions for use with Incydr product plans.
Insider Risk Analyst
The Insider Risk Analyst has read and write access to Forensic Search, alerts, user profiles, and cases. However, this role does not have access to the High Risk Employees list or Departing Employees list, so they cannot view or edit risk factors or departure dates. People assigned this role typically investigate and respond to insider risk incidents. They do things like create alert rules and view alert notifications, perform investigations with Forensic Search, and create cases.
Note that Insider Risk Analysts cannot download files from Forensic Search unless they are also assigned the Security Center - Restore role.
Insider Risk Read Only
People assigned the Insider Risk Read Only role have read-only access to all Incydr functionality. This includes the ability to search events, view alerts, view user profiles and detection lists, review cases, and view corresponding configuration details.
This role is intended for users who you need to keep informed about insider risk investigations, but who you do not want performing Incydr actions such as creating alert rules, cases, or saved searches. For example, assign it to a junior analyst to allow them to perform light investigations, or assign it to your CISO or Chief Privacy Officer to allow them read-only access.
Suggested additional roles
Following are additional roles that you can add to Incydr job function roles to expand their capabilities. These are not all of the available additional Code42 roles you can assign, but the ones we recommend for use with Incydr.
High Risk Employee Manager
The High Risk Employee Manager can add and remove users in the High Risk Employees list and set alerts for those users. They cannot perform any other activities such as investigate those users with Forensic Search, create new alert rules, or create cases.
This role is intended to augment the Insider Risk Analyst role, or to be used on its own for application integrations that add or remove users in the High Risk Employees list.
Departing Employee Manager
The Departing Employee Manager can add and remove users in the Departing Employees list and set alerts for those users. However, just as with the High Risk Employee Manager, they cannot perform any other activities such as investigate users with Forensic Search, create new alert rules, or create cases.
This role is intended to augment the Insider Risk Analyst role, or to be used on its own for application integrations that add or remove users in the Departing Employees list.
Security Center - Restore
The Security Center - Restore role allows an individual to download files from Forensic Search. Typically you assign this role to a person who already has another role that allows them to perform investigations with Forensic Search, such as an Insider Risk Analyst.
The person with this role should be cleared to view potentially sensitive company data that may be contained in downloaded files.