Repository & View Permissions

The individual permissions available for a Repository and View Role are shown below.


The Shorthand form is used if you choose to setup a permissions file or using the API.

Table: Data Access Permissions

Permission Description Shorthand/API Name
Data read access Grants read access to data through the Search, Dashboards and Files pages. If unchecked, all other permissions can be used exclusively through the API. ReadAccess

Table: Data management Permissions

Permission Description Shorthand/API Name
Delete data sources Allow deleting individual data sources in a repository. DeleteDataSources
Delete events The ability to delete events. DeleteEvents
Delete repository or view Allow deletion of repositories and views. DeleteRepositoryOrView
Change data retention The ability to change the data retention. ChangeRetention

Table: Search Permissions

Permission Description Shorthand/API Name
Change connections for a view Allows changing the repositories defined within a view. ChangeConnections
Change dashboards Allow creating and updating dashboards. ChangeDashboards
Change default search settings Allow editing the default search query and time interval. ChangeDefaultSearchSettings
Change files Allow creating and updating uploaded CSV files. ChangeFiles
Change interactions Allow changing event list interactions ChangeInteractions
Change permission tokens on repo or view Change permission tokens on repo or view ChangeViewOrRepositoryPermissions
Change packages Allow installing and updating packages ChangePackages
Change saved queries Allow creating and updating saved queries. ChangeSavedQueries
Change shared dashboard URLs Allow creating and changing read-only dashboards ChangeDashboardReadonlyToken
Change view or repo description Allow changing view or repository description. ChangeViewOrRepositoryDescription
Connect a view Allow creation of views that involve connecting to this repository. ConnectView

Table: Ingest Permissions

Permission Description Shorthand/API Name
Change FDR feeds Change Falcon Data Replicator feeds ChangeFdrFeeds
Change ingest tokens Allow creating and editing ingest tokens. ChangeIngestTokens
Change parsers Allow creating and updating parsers. ChangeParsers
Change ingest feeds Allow creating, editing and deleting ingest feeds. ChangeIngestFeed

Table: Integrations Permissions

Permission Description Shorthand/API Name
Change S3 archiving settings Allow editing the configuration for S3 archiving. ChangeS3ArchivingSettings
Change event forwarding Allow setting up event forwarding. EventForwarding
Change packages Allow installing, updating and removing packages ChangePackages

Table: Query model for persistent queries

Permission Description Shorthand/API Name
Change persistent queries to run on behalf of organization Allow changing of persistent queries to run on behalf of the organization in place of a single user OrganizationOwnedQueries

Table: Trigger and Action Permissions

Permission Description Shorthand/API Name
Change triggers and actions Allow editing of alerts, scheduled searches and actions. From version 1.120.0, it is replaced by ChangeTriggers and ChangeActions. ChangeTriggersAndActions
Change triggers Allow editing and viewing alerts and scheduled searches. ChangeTriggers
Change actions Allow viewing and editing actions. Viewing the name and type of actions when editing triggers is still possible without this permission. ChangeTriggers and ReadAccess permission are needed to edit and view actions. ChangeActions

Table: User Permissions

Users Description Shorthand/API Name
Change data deletion permissions Special permission needed to be able to assign the permissions (DeleteEvents, DeleteDataSources, DeleteRepositoryOrView and ChangeRetention). ChangeDataDeletionPermissions
Change user access Allow adding or removing existing users or groups to this view/repo. ChangeUserAccess