Knowledge Base Community Release Notes Request Demo

Role-Based Access Control

PreviousSystem Configuration NextIdentity & Access Integrations

Last updated 3 days ago

Was this helpful?

Role-Based Access Control

Role-Based Access Control (RBAC) lets you configure fine-grained user access in Panther.

A role is a configurable set of permissions, and each user is assigned to one role. You can use the default roles provided, customize them to your needs, and/or create new roles. For certain permissions, you can restrict accessible log types. It is possible to create a role with no permissions.

You can manage roles in your Panther Console or with the Panther REST API or GraphQL API.

Panther user roles

Default Panther roles

When you first deploy Panther, the following three roles are automatically created for you:

Admin
- This role is automatically assigned to all existing users and has all available permissions.
Analyst
- This role can use all the cloud security and log analysis features, but cannot modify settings.
AnalystReadOnly
- This role can view resources and alerts and Python code, but cannot change anything.

Customizing roles

A user assigned to a role that has the Manage Users permission (or UserModify, if created through the API) can customize all other roles.

There is no limit on the number of roles you can create.
You can rename roles, but all roles must have unique names.
You can change permissions on roles, but at least one user must have the Manage Users/UserModify permission.
You can delete a role if no users are currently assigned to it.

For instructions on customizing a role with restrictions on certain log types, see the RBAC per log type section below.

Updating a role's permissions

To update the permissions associated to a role:

In the upper-right corner of your Panther Console, click the gear icon > User Roles.
Make desired changes to the permissions set.
Click Update Role.

Permission changes will not take effect until the affected user refreshes the browser where they are logged in to Panther or signs out and back in to Panther.

If, after expanding a user's permissions, the user continues to see an access denied error, verify they have the required read permission for the page they're attempting to access.

Creating a new role

Follow the instructions below to create a new role in the Console. Alternatively, you can create a new role using the Panther GraphQL API or REST API.

In the upper-right corner of the Panther Console, click the gear icon, then User Roles.
Click Create New.
In the Name field, enter a descriptive name for the role.
Select the checkbox for each of the permissions you'd like this role to have.
1. Currently, some permissions support log type filtering. (See RBAC per log type for more information.) If you select a permission that supports log type restrictions, choose one of the following options:
  - Full access to logs
  - Allow access to selected Log Types
2. If you opted to Allow access to selected Log Types or Deny access to selected Log Types, in the Select Log Types dropdown, select the individual log types the user should be allowed to access or restricted from accessing.
  - Be sure to read through the limitations listed below to understand the current limitations of the RBAC by log type feature.
  - Remember that log type selections sync across all permissions that support log type restrictions, for a given role.
Click Create Role.
- Note that it may take a up to one minute for your change to propagate across all of Panther's services.

You can now assign the role to users you onboard onto Panther.

RBAC per log type

While this feature is available to all customers with Snowflake Enterprise Edition, Panther must first enable it for your instance. If you are interested in using it, please reach out to your account team.

Prerequisites for Cloud Connected Snowflake accounts

If you're using a Cloud Connected Snowflake instance, in order to enable RBAC per log type, the following must be true:

Your Snowflake edition must be Enterprise or higher.
The pantheraccountadmin user account must be enabled in your Snowflake instance. If it is not already enabled, follow the instructions in Snowflake's Enabling a User documentation.

How to restrict log types for a certain role

You can create a new role and restrict log access for it, or alter the permissions of an existing role to restrict log access. See the Creating a new role instructions, paying attention to Step 4.

RBAC per log type for search

You can use the Run Log Queries permission to limit a role's log type access in Panther's search tools, including Data Explorer and Search.

In Data Explorer, only tables for the log types the user has access to will display in the Data Explorer filter list, as well as in predictive text in the SQL editor.

When pivoting into Data Explorer from another area of the Console (such as from a log source's Schemas view), if the filled SQL query references a table for a log source the user does not have access to, upon running the query, the user will receive an error.

In Search, database tables for restricted log types will not populate in the tables filter.

Limitations for RBAC per log type for search

Note the following limitations when RBAC per log type for search is applied to a role:

Alerts: This feature does not currently enforce RBAC per log type restrictions in alerts or, and therefore blocks users from viewing/managing them (unless the RBAC per log type for alerts feature is enabled).
- The following permissions may not be enabled: View Alerts, Manage Alerts.
Detections: The Manage Rules and Manage Policies permissions may not be enabled.
- The View Rules and View Policies permissions may be enabled.
Cloud Security data: Only users with full access to all log types will be able to view Cloud Security data in the panther_cloudsecurity database and the panther_views.public.all_cloudsecurity view in Snowflake.
- All other Cloud Security data (resources, compliance) in the Console (e.g., on the Overview and Detections pages) will be available to all users.
Saved Queries: Users with restricted access cannot create Saved Queries.
- Scheduled Queries: If a user with a role with full log type access has Scheduled Queries and is then switched to a role with restricted log type access (or their same role is modified to restrict log type access), their Scheduled Queries will stop running.
Lookup Tables: A user with a restricted role will not be able to query Lookup Tables in Data Explorer or Search.
External tables: Queries to external (non Panther-created) tables will only function for users with access to all log types.
API Tokens: This feature does not support API tokens. All API tokens have full access to the data lake and saved queries.

RBAC per log type for alerts

You can use the View Alerts and Manage Alerts permissions to limit a role's access to alerts based on log type. When selecting either of these permissions, you will be prompted to select the log types to allow or restrict access to.

The set of accessible log types selected for View Alerts and Manage Alerts will be synced with the Run Log Queries permission. One role cannot have two permissions with different log type restrictions.

All limitations for RBAC per log type for search, listed above, apply—except for the alerts limitation.

PreviousSystem Configuration NextIdentity & Access Integrations

Last updated 3 days ago

Was this helpful?

Role-Based Access Control (RBAC) lets you configure fine-grained user access in Panther.

You can manage roles in your Panther Console or with the Panther REST API or GraphQL API.

Panther user roles

Default Panther roles

When you first deploy Panther, the following three roles are automatically created for you:

Admin
- This role is automatically assigned to all existing users and has all available permissions.
Analyst
- This role can use all the cloud security and log analysis features, but cannot modify settings.
AnalystReadOnly
- This role can view resources and alerts and Python code, but cannot change anything.

Customizing roles

A user assigned to a role that has the Manage Users permission (or UserModify, if created through the API) can customize all other roles.

There is no limit on the number of roles you can create.
You can rename roles, but all roles must have unique names.
You can change permissions on roles, but at least one user must have the Manage Users/UserModify permission.
You can delete a role if no users are currently assigned to it.

For instructions on customizing a role with restrictions on certain log types, see the RBAC per log type section below.

Updating a role's permissions

To update the permissions associated to a role:

In the upper-right corner of your Panther Console, click the gear icon > User Roles.
In the upper-right corner of the tile for the role you'd like to update, click the three docs icon > Edit.
Make desired changes to the permissions set.
Click Update Role.

Permission changes will not take effect until the affected user refreshes the browser where they are logged in to Panther or signs out and back in to Panther.

If, after expanding a user's permissions, the user continues to see an access denied error, verify they have the required read permission for the page they're attempting to access.

Creating a new role

Follow the instructions below to create a new role in the Console. Alternatively, you can create a new role using the Panther GraphQL API or REST API.

In the upper-right corner of the Panther Console, click the gear icon, then User Roles.
Click Create New.
In the Name field, enter a descriptive name for the role.
Select the checkbox for each of the permissions you'd like this role to have.
1. Currently, some permissions support log type filtering. (See RBAC per log type for more information.) If you select a permission that supports log type restrictions, choose one of the following options:
  - Full access to logs
  - Allow access to selected Log Types
  - Deny access to selected Log Types
2. If you opted to Allow access to selected Log Types or Deny access to selected Log Types, in the Select Log Types dropdown, select the individual log types the user should be allowed to access or restricted from accessing.
  - Be sure to read through the limitations listed below to understand the current limitations of the RBAC by log type feature.
  - Remember that log type selections sync across all permissions that support log type restrictions, for a given role.
Click Create Role.
- Note that it may take a up to one minute for your change to propagate across all of Panther's services.

You can now assign the role to users you onboard onto Panther.

RBAC per log type

Prerequisites for Cloud Connected Snowflake accounts

If you're using a Cloud Connected Snowflake instance, in order to enable RBAC per log type, the following must be true:

Your Snowflake edition must be Enterprise or higher.
The pantheraccountadmin user account must be enabled in your Snowflake instance. If it is not already enabled, follow the instructions in Snowflake's Enabling a User documentation.

How to restrict log types for a certain role

You can create a new role and restrict log access for it, or alter the permissions of an existing role to restrict log access. See the Creating a new role instructions, paying attention to Step 4.

RBAC per log type for search

You can use the Run Log Queries permission to limit a role's log type access in Panther's search tools, including Data Explorer and Search.

In Data Explorer, only tables for the log types the user has access to will display in the Data Explorer filter list, as well as in predictive text in the SQL editor.

In Search, database tables for restricted log types will not populate in the tables filter.

Limitations for RBAC per log type for search

Note the following limitations when RBAC per log type for search is applied to a role:

Alerts: This feature does not currently enforce RBAC per log type restrictions in alerts or, and therefore blocks users from viewing/managing them (unless the RBAC per log type for alerts feature is enabled).
- The following permissions may not be enabled: View Alerts, Manage Alerts.
Detections: The Manage Rules and Manage Policies permissions may not be enabled.
- The View Rules and View Policies permissions may be enabled.
Cloud Security data: Only users with full access to all log types will be able to view Cloud Security data in the panther_cloudsecurity database and the panther_views.public.all_cloudsecurity view in Snowflake.
- All other Cloud Security data (resources, compliance) in the Console (e.g., on the Overview and Detections pages) will be available to all users.
Saved Queries: Users with restricted access cannot create Saved Queries.
- Scheduled Queries: If a user with a role with full log type access has Scheduled Queries and is then switched to a role with restricted log type access (or their same role is modified to restrict log type access), their Scheduled Queries will stop running.
Lookup Tables: A user with a restricted role will not be able to query Lookup Tables in Data Explorer or Search.
External tables: Queries to external (non Panther-created) tables will only function for users with access to all log types.
API Tokens: This feature does not support API tokens. All API tokens have full access to the data lake and saved queries.

RBAC per log type for alerts

All limitations for RBAC per log type for search, listed above, apply—except for the alerts limitation.