Permissions for administrator roles

The following tables list out the default permissions for system-defined roles within the management console. Permissions in bold have child permissions that are only available after the main permission is selected.

The data that zone managers can view in the console is limited to the zones that they manage.

These permissions provide access to the dashboard page and cannot be disabled. The information displayed on the dashboard is determined by the role and permissions assigned to the administrator role.

Permission	Administrator	Zone Manager	User	Read-Only
Device protection	√	√	√	√

These permissions allow you to manage

CylanceOPTICS

features.

Permission	Administrator	Zone Manager	User	Read-Only
View detections	√	√		√
Edit detections	√	√
Delete detections	√	√
View, create InstaQuery	√	√		√
Delete InstaQuery	√	√
View, create advanced query	√	√		√
Create shared template	√	√
Delete shared template	√
Delete shared snapshots	√
Delete shared export query	√
Create scheduled query	√	√
Edit shared scheduled query	√
Delete shared scheduled query	√
View, create focus data	√	√		√
View package deploy	√			√
Create package deploy	√
Update package deploy	√
Delete package deploy	√
View playbook results	√			√
Delete playbook results	√
View package	√			√
Create package	√
Delete package	√
View playbook	√			√
Create, edit playbook	√
Delete playbook	√
View ruleset*	√			√
Edit ruleset*	√
Delete ruleset	√
View rules	√			√
Create, edit custom rule	√
Delete custom rule	√
View exceptions	√			√
Create, edit exceptions	√
Delete exceptions	√
View lockdown configuration	√			√
Create, Edit lockdown configuration	√
Delete lockdown configuration	√

*To view a rule set, you require an administrator role with the View ruleset and Edit ruleset permissions.

These permissions control what you can do with users and devices in the management console. You have to have global list permissions to global quarantine or add a threat to the safe list from these pages.

Permission	Administrator	Zone Manager	User	Read-Only
View users and groups	√			√
Create users and groups	√
Edit users and groups	√
Delete users and groups	√
View mobile devices	√			√
Delete mobile devices	√
View devices	√	√	√	√
Edit devices	√	√
Delete devices	√
Run background scan	√
Lock CylanceOPTICS device	√
Unlock CylanceOPTICS device	√
Execute remote response	√
Allow file download	√
View device policies	√	√		√
Create device policies	√
Edit device policies	√
Delete device policies	√
View Zones	√	√	√	√
Create zones	√
Edit zones	√	√
Delete zones	√

These permissions provide access to the protection menu,

CylancePROTECT Mobile

alerts, and vulnerabilities.

Permission	Administrator	Zone Manager	User	Read-Only
View threat protection	√	√	√	√
Edit Protect Mobile events	√
View Protect Mobile policies	√			√
Create Protect Mobile policies	√
Edit Protect Mobile policies	√
Delete Protect Mobile policies	√

These permissions allow you to manage network protection settings, including network access control,

CylanceGATEWAY

settings, and

CylanceGATEWAY

alerts and events.

Permission	Administrator	Zone Manager	User	Read-Only
View Gateway service policies	√			√
Create Gateway service policies	√
Edit Gateway service policies	√
Delete Gateway service policies	√
View network access controls	√			√
Edit network access controls	√
View Gateway settings	√			√
Create Gateway settings	√
Edit Gateway settings	√
Delete Gateway settings	√
View Gateway reporting events	√			√
View Gateway alerts and events	√			√

These permissions allow you to manage

CylanceAVERT

features.

Permission	Administrator	Zone Manager	User	Read-Only
View Avert settings	√			√
Edit Avert settings	√
View Avert device identifier	√			√
View Avert risk scores	√			√
View Avert device events	√			√
View Avert policies	√			√
Create Avert policies	√
Edit Avert policies	√
Delete Avert policies	√
View Avert sensitive file summary	√
View Avert file content	√
Delete Avert files	√

These permissions allow administrators to manage tenant-level settings that affect multiple features in the

Cylance Endpoint Security

solution, including EMM providers and directories, enrollment for mobile devices and

CylanceGATEWAY

, and adaptive risk options and events. For directory connections, you can create

Microsoft Entra ID

active directories (AD) only.

Permission	Administrator	Zone Manager	User	Read-Only
View EMM connections	√			√
Create EMM connections	√
Edit EMM connections	√
Delete EMM connections	√
View directory connections	√			√
Create directory connections	√
Edit directory connections	√
Delete directory connections	√
View on-prem directory connector	√			√
Create on-prem directory connector	√
Edit on-prem directory connector	√
Delete on-prem directory connector	√
View authentication controls	√			√
Create authenticators	√
Edit authenticators	√
Delete authenticators	√
View enrollment policies	√			√
Create enrollment policies	√
Edit enrollment policies	√
Delete enrollment policies	√
View adaptive risk policies	√			√
Create adaptive risk policies	√
Edit adaptive risk policies	√
Delete adaptive risk policies	√
View adaptive risk settings	√			√
Create adaptive risk settings	√
Edit adaptive risk settings	√
Delete adaptive risk settings	√
View alerts	√			√
Edit alerts	√
Delete alerts	√

These permissions allow you to view reports and the audit log.

Permission	Administrator	Zone Manager	User	Read-Only
View reports	√			√
View audit log	√			√

These permissions allow you to manage management console settings. User management permissions and role management permissions are associated. If a user is assigned a role with user management permissions selected, the user will also have access to role management functionality.

Permission	Administrator	Zone Manager	User	Read-Only
Application	√	√		√
Token Management	√
Installer Download	√	√
Uninstall Password Management	√
Support Login	√
Syslog/SIEM	√
Custom Authentication	√
Threat Data Report	√
User Management	√
View Global List	√	√		√
Create Global List	√
Edit Global List	√
Delete Global List	√
View Agent Update Settings	√			√
Create Agent Update Settings	√
Edit Agent Update Settings	√
Delete Agent Settings	√
Certificates	√	√		√
Integrations	√
View device lifecycle settings	√			√
Create device lifecycle settings	√
Edit device lifecycle settings	√
Delete device lifecycle settings	√
View activation settings	√			√
Edit activation settings	√