Hi,
I was hoping someone would be able to let me know the correct role to choose for a user whose responsibility will be to create playbooks.
The Automation Engineer and the Incident Commander both have these permissions:
Apps: can view
Assets: can view
Events: can edit, can view
Custom Lists: can view
Playbooks: can edit, can view, can execute, can edit code
System Settings: can view
User & Roles: can view
The Incident Commander has a few additional permissions:
Cases: can delete, can edit, can view
Playbooks: can delete
System Settings: can edit
Thank you!
Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:
Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"
However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.
Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:
Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"
However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.