Roles for Incydr


In Code42, roles are made up of permissions. To give security personnel at your company the correct permissions they need to do their work with Incydr, you must assign them the right Code42 roles. For example, you'll want to assign security analysts a role that lets them do things like set up alerts and create cases. On the other hand, if you want to give Incydr access to your CISO or Chief Privacy Officer, you may only want to grant them read-only access.

While there are many Code42 roles you can assign that provide permissions for a broad range of Code42 capabilities, there are only a small set of roles you need to assign for users of Incydr. This article describes these roles. 


  • Assign roles so that users have the lowest level of privilege needed to perform their jobs. Only assign the Customer Cloud Admin role to the "super user" administrator who you want to have all possible permissions. 
  • After assigning roles, test to confirm that users can perform their required tasks and can access the data they need. To learn which permissions on roles allow users access to particular Incydr features, see Permissions for Incydr.
Incydr displays data for users in all organizations
Visibility of activity captured by Incydr is not limited by your Code42 organization hierarchy.

Code42 organizations only control endpoint settings related to file preservation (backup), agent deployment, and identity management. Users with roles that allow access to Incydr features (such as the risk dashboards, Alerts, and Forensic Search) can view insider risk data for users in all organizations.

How to assign roles

To assign roles to Incydr users, go to Administration > Environment > Users, select a user, and edit their settings.

For more details, see Manage user roles.

Roles for security team members

Following are the roles to assign to members of your security team. If you decide to add more roles on top of one of these roles, do so with caution. The more roles a user is assigned, the more power that user has in your Code42 environment. In most cases, you only need to assign a single role to fulfill the needs of security team member.

For details on all roles, see the Roles reference.

Insider Risk Admin

Assign this role to your insider risk administrators.

People with this role typically are responsible for managing a team of insider risk analysts. An Insider Risk Admin has read and write access to all Incydr functionality. For example, they can work with watchlists, Forensic Search, Alerts, and Cases. 

The Customer Cloud Admin must assign this role. Once the role is assigned, the Insider Risk Admin in turn assigns roles to Incydr users, such as the Insider Risk Analyst and Insider Risk Read Only roles.

Reassign Security Center User role
Incydr Basic, Advanced, and Gov F1 only
If you have assigned the Security Center User role to administrators or analysts who use Incydr, reassign them either the Insider Risk Admin or Insider Risk Analyst role instead, depending on their responsibilities. These roles are designed specifically for users of Incydr and only contain permissions for use with Incydr product plans

Insider Risk Analyst

Assign this role to analysts responsible for using Incydr to investigate and respond to insider risks.

People with this role have read and write access to Forensic Search, Alerts, User Profiles, and Cases. However, people with this role do not have access to watchlists. 

Note that Insider Risk Analysts cannot download files from Forensic Search unless they are also assigned the Security Center - Restore role.

Insider Risk Read Only

Assign this role to people who need to keep informed about insider risk investigations in Incydr, but who should not investigate or respond to insider risk incidents.

People with this role have read-only access to all Incydr functionality. This includes the ability to search events, view alerts, view user profiles and watchlists, review cases, and view corresponding configuration details. 

Insider Risk Respond

Assign this role to people who are allowed to select options from the Actions menu to respond to insider risk events. This role is intended to augment the Insider Risk Analyst role.

Suggested additional roles for security team members

The following additional roles are available to add to members of your security team to expand their capabilities. These are not all of the available Code42 roles you can assign, but the ones you should use with Incydr. 

Departing Employee Manager

Assign this role to people who add and remove users in the Departing watchlist.

This role is intended to augment the Insider Risk Analyst role. People assigned this role cannot perform any other activities such as investigate users with Forensic Search, create new alert rules, or create cases. 

High Risk Employee Manager

Assign this role to people who add and remove users in all watchlists except for the Departing watchlist.

This role is intended to augment the Insider Risk Analyst role. People assigned this role cannot perform any other activities such as investigate those users with Forensic Search, create new alert rules, or create cases. 

Security Center - Restore

Assign this role to people who need to download a file or get temporary access to a file from the filename shown in the file event details.

Typically you assign this role to people who already have another role that allows them to perform investigations with Forensic Search, such as Insider Risk Analyst. People with this role should be cleared to view potentially sensitive company data that may be contained in downloaded files.

Roles for system administrators

Customer Cloud Admin

Assign this role to the "super user" administrator who should have all possible permissions. The person with this role can perform the tasks of any role.

While most tasks can be performed by users with other roles, you must have the Customer Cloud Admin role to perform the following tasks:

Use with caution
Always assign roles so that users have the lowest level of privilege needed to perform their jobs. Do not assign the Customer Cloud Admin role if another role provides the desired permissions. 

Security Administrator

Assign this role to people who maintain and troubleshoot your Incydr installation.

People with this role manage data connections and perform client management tasks such as app downloadsdeployment policiescustomizations, and Code42 agent upgrades. They have no rights to use Incydr features or see Incydr data. 

The Customer Cloud Admin must assign this role.

Identity Management Administrator

Assign this role to people who configure single sign-on and provisioning in the Identity Management panel of the Code42 console. 

This role is intended to augment the Security Administrator role, or to be used as a standalone role. 

Audit Log Viewer

Assign this role to people that you want to "watch the watchers," that is, spot-check the work of security analysts to prevent abuse of privileged access.

The people assigned this role can view Code42 events recorded in the Audit Log.