Role-Based Access Control

Role-Based Access Control (RBAC) gives Panther deployments fine-grained access control for their user accounts. A role is a configurable set of permissions, and every user is assigned to exactly one role.

Default Roles

When you first deploy Panther, the following three roles are automatically created for you:
  • Admin
    • This role is automatically assigned to all existing users and has all available permissions.
  • Analyst
    • This role can use all the cloud security and log analysis features, but cannot modify settings.
  • AnalystReadOnly
    • This role can view resources and alerts and Python code, but cannot change anything.
The default roles screen in the Panther Console shows three roles: Admin, Analyst, and AnalystReadOnly.

Customizing Roles

A user with UserModify permissions can customize all other roles.
  • There is no limit on the number of roles you can create.
  • You can rename roles, but all roles must have unique names.
  • You can change permissions on roles, but at least one user must have UserModify permissions.
  • You can delete roles if no users are currently assigned to them.
The role editor screen in the Panther Console displays a field to add a name, and options to customize permissions.
  • Permission changes will not take effect until the affected user refreshes the browser where they are logged in to Panther or signs out and back in to Panther.
  • If, after updating a user's permissions, the user continues to see an access denied error, double-check to see if they are missing another Read permission that would be required for the page they are trying to access

Setting up RBAC per Log Type for Data Explorer

RBAC per Log Type is in Closed Beta as of version 1.41.
Please share any bug reports and feature requests with your account team.

Caveats with RBAC Per Log Type in Panther

This closed beta feature is the first part of a larger RBAC per Log Type capability, with an initial focus on enforcing controls in Data Explorer queries. Please note the following caveats:
  • Deployment types: This feature is only available to SaaS customers with a Panther-managed Snowflake data lake.
    • This feature is not available to customers using a Configured Snowflake (formerly Bring Your Own Snowflake) deployment or Panther's legacy customer-configured Snowflake deployment, or to customers using Athena.
  • Enforcement limitation: This feature does not enforce RBAC per Log Type restrictions in Alerts or Detections at this time.
    • When creating a role with restricted log type permissions, the Panther Console will prevent the creation of a role with the ability to View Alerts and View Detections. This limitation also applies to roles created via the API.
  • Cloud Security data: Only users with full access to all log types will be able to view Cloud Security data in the panther_cloudsecurity database and the panther_views.public.all_cloudsecurity view in Snowflake.
    • All other Cloud Security data (resources, compliance) in the Panther Console (Overview, Detections pages) will be available to all users.
  • Scheduled queries: Users with full access to all log types will be able to view all scheduled query tables with no restriction.
    • Users with restricted log type access will be able to save a scheduled query but cannot access the tables of their scheduled query at this time.
    • If a user with restricted log type access is deleted, their scheduled queries will stop running.
    • If a user with full log type access switches to restricted log type access, their scheduled queries will stop running.
  • Indicator Search: Indicator Search will not be functional for restricted roles. Only roles that have full log type access will be able to use indicator search at this time.
  • Lookup Tables: A user with a restricted role will not be able to query Lookup Tables in Data Explorer or Indicator Search.
  • External tables: Queries to external (non Panther-created) tables will only function for users with access to all log types.
  • API Tokens: This feature does not support API tokens. All API tokens have full access to the data lake and saved queries.

How to set up a role with Restricted Log Types

Follow these steps to set up a role with restricted access to log types in Data Explorer.
  1. 1.
    Log in to the Panther Console and navigate to Settings > User Roles.
  2. 2.
    In the upper right, click Create New.
  3. 3.
    In the Name field, add a descriptive name for the role.
  4. 4.
    Scroll down to the Data section and check the box next to Run Log Queries.
  5. 5.
    Choose from the following options:
    • Allow access to all log types.
    • Restrict access to a certain set of log types.
    • Exclude access from a certain set of log types.
  6. 6.
    After you've selected the log types to restrict or exclude, you can select other permissions to include in the role. Be sure to read through the caveats listed above to understand the current limitations of the feature.
  7. 7.
    Click Create Role.
You can now assign the role to users you onboard onto Panther.