Prerequisites
Creating, editing, and deleting roles requires themanage_roles capability. This capability is included in the built-in admin role.
Role Types
Permission Roles
Grant one or more capabilities to every user who holds the role. Authorization decisions throughout ThreatLab are driven entirely by permission roles.
Title Roles
Cosmetic only — examples include SOC Lead or Instructor. They appear as badges on user profiles but grant no capabilities and have no effect on what a user can do.
System Roles
The built-in
admin and analyst roles are immutable (is_system = true). They cannot be edited or deleted. The admin role grants every capability; analyst grants none by default.Creating a Role
- Permission Role
- Title Role
Name and describe the role
Enter a name and an optional description that explains the role’s purpose.
Select capabilities
Check each capability you want to grant. See the Capabilities Reference table below.
Capabilities Reference
Every capability key recognized by ThreatLab is listed below. When building a permission role, check exactly the capabilities that team needs — no more.| Capability key | Label | Description |
|---|---|---|
manage_users | Manage users | Edit profiles, ban/unban, assign roles |
manage_exercises | Author exercises | Create and edit exercises |
curate_paths | Curate learning paths | Promote paths to curated or onboarding |
manage_roles | Manage roles | Create roles and assign capabilities |
view_status | View platform status | Icinga-backed health dashboard |
review_notebooks | Review notebooks | Read analyst notebook entries |
view_user_history | View user history | See exercise progress and completions |
manage_noise_logs | Manage noise logs | Create and schedule background noise log jobs that ship to one or more SIEMs |
force_siem_push | Force SIEM push | Bypass upload cooldown for fresh archive shipping |