Cases and Issues permissions

Abstract

Set up Cases and Issues permissions.

The Cases & Issues section is the heartbeat of SOC operations. It is the primary workspace where alerts are aggregated into issues, and issues are escalated into cases for full-scale investigation.

Limits permissions to the Cases, Issues, and Case Configuration pages. It controls how analysts interact with security events, from the initial triage of a single issue to the coordinated response to a multi-stage attack.

Caution

  • To set Cases & Issues to View or View/Edit, you must first set the Scripts and Playbooks permissions to Enabled.

  • When SBAC is set to Restrictive mode, users who don't have all the required tags shouldn't be able to read or edit the parent case (fields or context). For more information on setting restrictive mode, see Configure server settings.

  • If users are assigned all tags on a child issue and have View/Edit permissions on Cases and Issues, they can trigger a playbook that could potentially change the parent case (even though users should not be able to do so according to SBAC). In this case, you can grant Add Trigger Playbook permissions, so users can bypass SBAC on the parent case fields and context data. For more information about updating fields in a playbook, see Update case fields.

  • Users with View access to Cases and Issues can also view and edit Lists (under SettingsConfigurationsObject SetupLists), provided they also have Script permissions.

Permission

Description

Roles Example

None

Users cannot access Cases, Issues, and Case Configuration pages.

View

Users can view cases and issues, see details, review investigation data, and view the Case Configuration page. Users cannot modify or take actions.

View/Edit

Full access to cases, issues, and case configuration. Users can view, modify, investigate, and take actions. Additional sub-permissions become available:

  • Add Trigger Playbook: Allows users to attach and trigger playbooks on issues for automated response

  • Create Case: Allows users to manually create new cases from issues or other sources.

Most analyst roles should include View/Edit permissions to enable deeper investigation and case management. Add Trigger Default Playbooks is not selected by default for most roles.