# Role-Based Access Control

Role-Based Access Control (RBAC) lets you configure fine-grained user access in Panther.

A role is a configurable set of permissions, and each user is assigned to one role. You can use the default roles provided, customize them to your needs, and/or create new roles. For certain permissions, you can [restrict accessible log types](#rbac-per-log-type-1). It is possible to create a role with no permissions.

You can manage roles in your Panther Console or with the Panther [REST API](https://docs.panther.com/panther-developer-workflows/api/rest/roles) or [GraphQL API](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management).

## Panther user roles

### Default Panther roles

When you first deploy Panther, the following three roles are automatically created for you:

* `Admin`
  * This role is automatically assigned to all existing users and has all available permissions.
* `Analyst`
  * This role can use all the cloud security and log analysis features, but cannot modify settings.
* `AnalystReadOnly`
  * This role can view resources and alerts and Python code, but cannot change anything.

{% hint style="warning" %}
**Important details about the `Admin` role:**

* A user with the `Admin` role cannot downgrade themselves to a non-`Admin` role. Only another `Admin` user can downgrade their role on their behalf.
* Only a user with the `Admin` role can delete other users with the `Admin` role. Self-deletions are not supported.
* At least one password-based user must have the `Admin` role.
  * If **Enforce Single Sign On (SSO)** is enabled, at least one IdP-managed user must also have the `Admin` role, in addition to at least one password-based user with the `Admin` role.
    {% endhint %}

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-531b4d816b27d0d3c2731edc1e382b8c516a8e38%2Fimage.png?alt=media" alt="The default roles screen in the Panther Console shows three roles: Admin, Analyst, and AnalystReadOnly."><figcaption></figcaption></figure>

## Customizing roles

A user assigned to a role that has the **Manage Users** permission (or `UserModify`, if created through the API) can customize all other roles.

* There is no limit on the number of roles you can create.
* You can rename roles, but all roles must have unique names.
* You can [change permissions on roles](#update-a-roles-permissions), but at least one user must have the **Manage Users**/`UserModify` permission.
* You can delete a role if no users are currently assigned to it.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-3425c6ef15f9e0cb5fc18b18985b829658cbc3a4%2Frbac-role-edit%20(7)%20(7)%20(8).png?alt=media" alt="The role editor screen in the Panther Console displays a field to add a name, and options to customize permissions." width="563"><figcaption></figcaption></figure>

For instructions on customizing a role with restrictions on certain log types, see the [RBAC per log type](#rbac-per-log-type) section below.

### Permission names in the Console and API

<table><thead><tr><th width="217.046875">Panther Console</th><th>Public API Permission</th><th>Description</th></tr></thead><tbody><tr><td>Bulk Upload</td><td>BulkUpload</td><td>Allow bulk upload of both policies and rules</td></tr><tr><td>Bulk Upload Validate</td><td>BulkUploadValidate</td><td>Allow a bulk upload to be validated</td></tr><tr><td>Manage AI Responses</td><td>ManageAIResponses</td><td>Edit/delete any user's AI responses</td></tr><tr><td>Manage Alerts</td><td>AlertModify</td><td>Read + update, add, and delete alerts</td></tr><tr><td>Manage API Tokens</td><td>OrganizationAPITokenModify</td><td>List/describe + create, modify, delete Panther API tokens</td></tr><tr><td>Manage Cloud Security Sources</td><td>CloudsecSourceModify</td><td>Read + add, delete, and modify cloud security integrations</td></tr><tr><td>Manage Log Sources</td><td>LogSourceModify</td><td>Read + add, delete, and modify log analysis integrations</td></tr><tr><td>Manage Policies</td><td>PolicyModify</td><td>Read + update, add, and delete policies</td></tr><tr><td>Manage Rules</td><td>RuleModify</td><td>Read + update, add, and delete rules</td></tr><tr><td>Manage Saved Searches</td><td>DataAnalyticsModify</td><td>Creates and updates saved queries</td></tr><tr><td>Manage Users</td><td>UserModify</td><td>List + invite, delete, and modify users &#x26; their roles</td></tr><tr><td>Query Data Lake</td><td>DataAnalyticsRead</td><td>Run queries over historical data</td></tr><tr><td>Read Alerts</td><td>AlertRead</td><td>View alerts</td></tr><tr><td>Read API Token Info</td><td>OrganizationAPITokenRead</td><td>List/describe all Panther API tokens</td></tr><tr><td>Read Panther Metrics</td><td>SummaryRead</td><td>Fetch summary data for the overview dashboards</td></tr><tr><td>Read Panther Settings Info</td><td>GeneralSettingsRead</td><td>View basic settings like error reporting and org name</td></tr><tr><td>Read User Info</td><td>UserRead</td><td>List all Panther users &#x26; available roles</td></tr><tr><td>Run Panther AI</td><td>RunPantherAI</td><td>Use Panther AI</td></tr><tr><td>View AI Private Responses</td><td>ViewAIPrivateResponses</td><td>View all users' private AI responses</td></tr><tr><td>View Cloud Security Sources</td><td>CloudsecSourceRead</td><td>View list of cloud security integrations and their configurations</td></tr><tr><td>View Log Sources</td><td>LogSourceRead</td><td>View list of log analysis integrations and their configurations</td></tr><tr><td>View Policies</td><td>PolicyRead</td><td>View policies and their compliance status</td></tr><tr><td>View Rules</td><td>RuleRead</td><td>View rules</td></tr></tbody></table>

### Updating a role's permissions <a href="#update-a-roles-permissions" id="update-a-roles-permissions"></a>

To update the permissions associated to a role:

1. In the upper-right corner of your Panther Console, click the gear icon > **User Roles**.
2. In the upper-right corner of the tile for the role you'd like to update, click the three docs icon > **Edit**.\
   ![To the right of an "AnalystReadOnly" title, an arrow is drawn from a three dots icon to an "Edit" option in a sub-menu.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252FoZcxAxiJ60oUEbSyJMZe%252FScreenshot%25202025-03-18%2520at%252012.05.19%25E2%2580%25AFPM.png%3Falt%3Dmedia%26token%3Dd6504c01-96af-437b-99dd-f125546d5264\&width=300\&dpr=4\&quality=100\&sign=ae91708a\&sv=2)
3. Make desired changes to the permissions set.
4. Click **Update Role**.

{% hint style="info" %}
Permission changes will not take effect until the affected user refreshes the browser where they are logged in to Panther or signs out and back in to Panther.

If, after expanding a user's permissions, the user continues to see an `access denied` error, verify they have the required **read** permission for the page they're attempting to access.
{% endhint %}

## Creating a new role <a href="#creating-a-new-role" id="creating-a-new-role"></a>

Follow the instructions below to create a new role in the Console. Alternatively, you can create a new role using the Panther [GraphQL API](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#creating-a-new-role) or [REST API](https://docs.panther.com/panther-developer-workflows/api/rest/roles#roles).

1. In the upper-right corner of the Panther Console, click the gear icon, then **User Roles**.
2. Click **Create New**.
3. In the **Name** field, enter a descriptive name for the role.
4. Select the checkbox for each of the permissions you'd like this role to have.
   1. Currently, some permissions support log type filtering. (See [RBAC per log type](#rbac-per-log-type) for more information.) If you select a permission that supports log type restrictions, choose one of the following options:
      * **Full access to logs**
      * **Allow access to selected Log Types**
      * **Deny access to selected Log Types**\
        ![In an Alerts section, a checkbox next to View Alerts is checked. Below, there are three radio buttons: Full access to logs, Allow access to selected Log Types, and Deny access to selected Log Types. The second one has been selected, and a Select Log Types dropdown has one value: AWS.ALB](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-5d61482c795911e456d569863ceb80b3a2ccd27a%2FScreenshot%202023-04-12%20at%2012.57.50%20PM.png?alt=media)
   2. If you opted to **Allow access to selected Log Types** or **Deny access to selected Log Types**, in the **Select Log Types** dropdown, select the individual log types the user should be allowed to access or restricted from accessing.
      * Be sure to read through the [limitations listed below](#caveats-with-rbac-per-log-type-in-panther) to understand the current limitations of the RBAC by log type feature.
      * Remember that log type selections sync across all permissions that support log type restrictions, for a given role.
5. Click **Create Role**.
   * Note that it may take a up to one minute for your change to propagate across all of Panther's services.

You can now assign the role to users you onboard onto Panther.

## RBAC per log type <a href="#rbac-per-log-type" id="rbac-per-log-type"></a>

{% hint style="warning" %}
While this feature is available to all customers with [Snowflake Enterprise Edition](https://docs.snowflake.com/en/user-guide/intro-editions#label-snowflake-editions-enterprise), Panther must first enable it for your instance. If you are interested in using it, please reach out to your account team.\
\
This feature is currently not compatible with a [Databricks backend.](https://docs.panther.com/search/backend/databricks)
{% endhint %}

### Prerequisites for Cloud Connected Snowflake accounts

If you're using a [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) Snowflake instance, in order to enable RBAC per log type, the following must be true:

* Your [Snowflake edition](https://docs.snowflake.com/en/user-guide/intro-editions) must be Enterprise or higher.
* The `pantheraccountadmin` user account must be enabled in your Snowflake instance. If it is not already enabled, follow the instructions in [Snowflake's Enabling a User documentation](https://docs.snowflake.com/en/user-guide/admin-user-management#disabling-enabling-a-user).

### How to restrict log types for a certain role

You can create a new role and restrict log access for it, or alter the permissions of an existing role to restrict log access. See the [Creating a new role instructions](#rbac-per-log-type), paying attention to Step 4.

### RBAC per log type for search

You can use the **Run Log Queries** permission to limit a role's log type access in Panther's search tools, including [Data Explorer](https://docs.panther.com/search/data-explorer) and [Search](https://docs.panther.com/search/search-tool).

In Data Explorer, only tables for the log types the user has access to will display in the Data Explorer filter list, as well as in predictive text in the SQL editor.

When pivoting into Data Explorer from another area of the Console (such as from a log source's Schemas view), if the filled SQL query references a table for a log source the user does not have access to, upon running the query, the user will receive an error.

In Search, database tables for restricted log types will not populate in the [tables filter](https://docs.panther.com/search/search-tool#table-filter).

<details>

<summary>Limitations for RBAC per log type for search</summary>

Note the following limitations when RBAC per log type for search is applied to a role:

* **Alerts:** This feature does not currently enforce RBAC per log type restrictions in alerts or, and therefore blocks users from viewing/managing them (unless the [RBAC per log type for alerts](#rbac-per-log-type-for-alerts) feature is enabled).
  * The following permissions may not be enabled: **View Alerts**, **Manage Alerts.**
* **Detections**: The **Manage Rules** and **Manage Policies** permissions may not be enabled.
  * The **View Rules** and **View Policies** permissions may be enabled.
* **Cloud Security data**: Only users with full access to all log types will be able to view Cloud Security data in the `panther_cloudsecurity` database and the `panther_views.public.all_cloudsecurity` view in Snowflake.
  * All other Cloud Security data (resources, compliance) in the Console (e.g., on the Overview and Detections pages) will be available to all users.
* **Saved Searches:** Users with restricted access cannot create [Saved Searches](https://docs.panther.com/search/scheduled-searches) (nor view Saved Searches).
  * **Scheduled Searches:** If a user with a role with full log type access has Scheduled Searches and is then switched to a role with restricted log type access (or their same role is modified to restrict log type access), their Scheduled Searches will stop running.
* **Lookup Tables**: A user with a restricted role will **not** be able to query Lookup Tables in Data Explorer or Search.
* **External tables**: Queries to external (non Panther-created) tables will only function for users with access to all log types.
* **API Tokens**: This feature does **not** support API tokens. All API tokens have full access to the data lake and Saved Searches.

</details>

### RBAC per log type for alerts

You can use the **View Alerts** and **Manage Alerts** permissions to limit a role's access to alerts based on log type. When selecting either of these permissions, you will be prompted to select the log types to allow or restrict access to.

The set of accessible log types selected for **View Alerts** and **Manage Alerts** will be synced with the **Run Log Queries** permission. One role cannot have two permissions with different log type restrictions.

All [limitations for RBAC per log type for search, listed above](#limitations-for-rbac-per-log-type-for-search), apply—except for the alerts limitation.

## AI-related permissions

Panther includes several AI-related permissions that control access to Panther AI features:

### Run Panther AI

The **Run Panther AI** permission allows users to interact with Panther AI features, including:

* Starting AI conversations and asking questions
* Running AI alert triage on demand
* Creating and managing scheduled AI prompts
* Accessing AI-powered analysis and recommendations

### AI Run As

The **AI Run As** permission is an administrative permission that allows users to configure run-as user settings for AI automations. Users with this permission can:

* Configure scheduled prompts to run as a specific user or API token instead of the prompt creator
* Configure auto-run AI alert triage to run as a specific user or API token instead of using system-level permissions
* Specify which user account's permissions and data access should be used for automated AI executions

{% hint style="info" %}
The **AI Run As** permission automatically implies **Run Panther AI**. Users with **AI Run As** are automatically granted **Run Panther AI**.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/system-configuration/rbac.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.