Skip to content
  • There are no suggestions because the search field is empty.

Step 2. Assign Respond View Permissions

Step 2. Assign Respond View PermissionsStep 2. Assign Respond View Permissions

Add users with the required permissions to investigate incidents and alerts in NetWitness Respond. Users with access to the Respond view need both Incidents and Respond-server permissions. Users with access to configure incident email notification settings need additional Integration-server permissions.

The following pre-configured roles have permissions in the Respond view:

  • Analysts: The Security Operations Center (SOC) Analysts have access to Alerting, NetWitness Respond, Investigate, and Reporting, but not system configurations.
  • Malware Analysts: Malware Analysts have access to investigations and malware events.
  • Operators: Operators have access to configurations, but not Investigate, ESA, Alerting, Reporting and NetWitness Respond.
  • SOC_Managers: The SOC Managers have the same access as Analysts plus additional permissions to handle incidents and configure NetWitness Respond.
  • Data_Privacy_Officers: Data Privacy Officers (DPOs) are like Administrators with additional focus on configuration options that manage obfuscation and viewing of sensitive data within the system. See the Data Privacy Management Guide for additional information. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
  • Respond_Administrator: The Respond Administrator has full access to NetWitness Respond.
  • Administrators: The Administrator has full system access to NetWitness and has all permissions by default.

The NetWitness Respond default permissions are shown in the following tables. You need to assign user permissions from both the Incidents and Respond-server tabs, which are the Permissions tab names in the netwitness_adminicon_25x22.png (Admin) > Security view Add or Edit Roles dialogs. You may want to add additional user permissions for Alerting, Context Hub, Investigate, Investigate-server, and Reports.

Caution: It is very important that you assign equivalent user permissions from BOTH the Respond-server tab AND the Incidents tab.

Users who configure incident email notification settings also need permissions in the Integration-server tab.

Respond-serverRespond-server

  • Permissions: respond-server.alert.delete
  • Analysts:
  • SOCMgrs:
  • DPOs:

    Yes*

  • RespondAdmin:

    Yes*

  • Operators:
  • MAs:

  • Permissions: respond-server.alert.manage
  • Analysts: Yes
  • SOCMgrs: Yes
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs: Yes

  • Permissions: respond-server.alert.read
  • Analysts: Yes
  • SOCMgrs: Yes
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

    Yes


  • Permissions: respond-server.alertrule.manage
  • Analysts:
  • SOCMgrs:

    Yes

  • DPOs:

    Yes*

  • RespondAdmin:

    Yes*

  • Operators:
  • MAs:

  • Permissions: respond-server.alertrule.read
  • Analysts:
  • SOCMgrs: Yes
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions: respond-server.configuration.manage
  • Analysts:
  • SOCMgrs:
  • DPOs:

    Yes*

  • RespondAdmin:

    Yes*

  • Operators:
  • MAs:

  • Permissions: respond-server.health.read
  • Analysts:
  • SOCMgrs:
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions: respond-server.incident.delete
  • Analysts:
  • SOCMgrs:
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions:

    respond-server.incident.manage

  • Analysts:

    Yes

  • SOCMgrs:

    Yes

  • DPOs:

    Yes*

  • RespondAdmin:

    Yes*

  • Operators:
  • MAs:

    Yes


  • Permissions: respond-server.incident.read
  • Analysts: Yes
  • SOCMgrs: Yes
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs: Yes

  • Permissions: respond-server.journal.manage
  • Analysts:

    Yes

  • SOCMgrs:

    Yes

  • DPOs:

    Yes*

  • RespondAdmin:

    Yes*

  • Operators:
  • MAs:

    Yes


  • Permissions: respond-server.journal.read
  • Analysts: Yes
  • SOCMgrs: Yes
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs: Yes

  • Permissions:

    respond-server.logs.manage

  • Analysts:
  • SOCMgrs:
  • DPOs:

    Yes*

  • RespondAdmin:

    Yes*

  • Operators:
  • MAs:

  • Permissions: respond-server.metrics.read
  • Analysts:
  • SOCMgrs:
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions: respond-server.notification.manage
    (Available in 11.1 and later)
  • Analysts:
  • SOCMgrs: Yes
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions: respond-server.notification.read
    (Available in 11.1 and later)
  • Analysts:
  • SOCMgrs: Yes
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions: respond-server.process.manage
  • Analysts:
  • SOCMgrs:
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions: respond-server.remediation.manage
  • Analysts: Yes
  • SOCMgrs: Yes
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs: Yes

  • Permissions: respond-server.remediation.read
  • Analysts:

    Yes

  • SOCMgrs:

    Yes

  • DPOs:

    Yes*

  • RespondAdmin:

    Yes*

  • Operators:
  • MAs:

    Yes


  • Permissions: respond-server.risk.manage
  • Analysts: Yes
  • SOCMgrs:
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions: respond-server.risk.read
  • Analysts: Yes
  • SOCMgrs:
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions: respond-server.security.manage
  • Analysts:
  • SOCMgrs:
  • DPOs: Yes*
  • RespondAdmin: Yes*
  • Operators:
  • MAs:

  • Permissions:

    respond-server.security.read

  • Analysts:
  • SOCMgrs:
  • DPOs:

    Yes*

  • RespondAdmin:

    Yes*

  • Operators:
  • MAs:

* Data Privacy Officers and Respond Administrators have the respond-server.* permission, which gives them all of the Respond-server permissions.

IncidentsIncidents

  • Permissions:

    Access Incident Module

  • Analysts: Yes
  • SOCMgrs: Yes
  • DPOs: Yes
  • RespondAdmin: Yes
  • Operators:
  • MAs:

    Yes


  • Permissions: Configure Incident Management Integration
  • Analysts:
  • SOCMgrs:

    Yes

  • DPOs: Yes
  • RespondAdmin: Yes
  • Operators:
  • MAs:

  • Permissions:

    Delete Alerts and Incidents

  • Analysts:
  • SOCMgrs:
  • DPOs:

    Yes

  • RespondAdmin: Yes
  • Operators:
  • MAs:

  • Permissions: Manage Alert Handling Rules
  • Analysts:
  • SOCMgrs:

    Yes

  • DPOs: Yes
  • RespondAdmin: Yes
  • Operators:
  • MAs:

  • Permissions:

    View and Manage Incidents

  • Analysts: Yes
  • SOCMgrs: Yes
  • DPOs:

    Yes

  • RespondAdmin: Yes
  • Operators:
  • MAs:

    Yes


The Respond Administrator has all of the Respond-server and Incidents permissions.

Integration-serverIntegration-server

Note: The Integration-server permissions are available in NetWitness version 11.1 and later.

Users who configure incident email notification settings also need Integration-server permissions. The following table lists the incident notification permissions in the Integration-server tab assigned to each role.

  • Permissions: integration-server.notification.read
  • Analysts:
  • SOCMgrs:

    Yes

  • DPOs:

    Yes

  • RespondAdmin:

    Yes

  • Operators:
  • MAs:

  • Permissions: integration-server.notification.manage
  • Analysts:
  • SOCMgrs: Yes
  • DPOs: Yes
  • RespondAdmin: Yes
  • Operators:
  • MAs:

Investigate-serverInvestigate-server

Users who view Event Analysis in Respond also need Investigate-server permissions. The following table lists the Respond Event Analysis permissions required in the Investigate-server tab and the permissions assigned to each role.

  • Permissions: investigate-server.event.read
  • Analysts:

    Yes

  • SOCMgrs:

    Yes

  • DPOs:

    Yes

  • RespondAdmin: