Role Capabilities
Following are the capabilities you can assign when you create roles.
note
If you use the createRoleV2 API to create a role, enter the corresponding role capability value in the capabilities parameter of the API as indicated in the tables below.
Data Management
| Capability | Description | Value in |
|---|---|---|
| View Collectors | View collectors and sources that have already been installed or added. | viewCollectors |
| Manage Collectors | View and manage installed and hosted collectors as well as sources. | manageCollectors |
| Manage Ingest Budgets | Allows you to manage ingest budgets. Enabling this will automatically enable the Manage Collectors capability. The Manage Collectors capability on its own permits the re-assignment of budgets to different collectors, but not creating or deleting them. | manageBudgets |
| Manage Data Volume Feed | Enable and manage the data volume index for your account to avoid exceeding your data limits, and to determine when you need to upgrade your account. | manageDataVolumeFeed |
| View Field Extraction Rules | View field extraction rules, which accelerate your search process by automatically parsing fields as log messages are ingested. | viewFieldExtraction |
| View Fields | View fields, which are custom metadata fields you can assign to logs. | viewFields |
| Manage Fields | Manage fields. Note that if you grant a role the Manage Fields capability, users with that role will also have the View Fields and View Field Extraction Rules capabilities. | manageFields |
| Manage Field Extraction Rules | Manage field extractions, which speed the search process by automatically parsing fields as log messages are ingested. Note that if you grant a role the Manage Field Extraction Rules capability, users with that role will also have the Manage Fields, View Fields, and View Field Extraction Rules capabilities. | manageFieldExtractionRules |
| Manage S3 Data Forwarding | Manage S3 data forwarding from Sumo Logic to an S3 bucket. | manageS3DataForwarding |
| Manage Content | Manage the content for your organization. This provides access to Admin Mode in the Library. | manageContent |
| Manage Apps | Install and manage apps. | manageApps |
| Manage Connections | Manage the connections that allow you to send alerts to other tools. | manageConnections |
| View Connections | View connections on the Connections page. | viewConnections |
| View Views | View Scheduled Views. | viewScheduledViews |
| Manage Views | View, create, edit, and delete Scheduled Views. Note that if you grant a role the Manage Scheduled Views capability, users with that role will also have View Scheduled Views capability. | manageScheduledViews |
| View Partitions | View partitions. | viewPartitions |
| Manage Partitions | View, create, edit, and delete partitions. Note that if you grant a role the Manage Partitions capability, users with that role will also have View Partitions and Manage S3 Data Forwarding capabilities. | managePartitions |
| View Account Overview | View the Account Overview page. | viewAccountOverview |
| Manage Tokens | Manage Installation Tokens. | manageTokens |
| View Parsers | View parsers. | viewParsers |
| Download Search Results | Export log query results to a .csv file. | downloadSearchResults |
| Access Data Volume Index | Access the sumologic_volume index. | dataVolumeIndex |
Entity Management
| Capability | Description | Value in |
|---|---|---|
| Manage Entity Type Configs | Reserved for internal use. | manageEntityTypeConfig |
Metrics
| Capability | Description | Corresponding value in the capabilities field of the createRoleV2 API |
|---|---|---|
| Manage Metrics Transformation Rules | Create, edit, or delete metrics transformation rules. | metricsTransformation |
| Manage Logs-to-Metrics | Create, edit, or delete Logs-to-Metrics rules. | metricsExtraction |
| Manage Metrics Rules | Create, edit, or delete metrics rules. | metricsRules |
Security
| Capability | Description | Value in |
|---|---|---|
| Manage Password Policy | Set the password policy for your Sumo Logic account. | managePasswordPolicy |
| Allowlist IP Addresses | Explicitly grant access to specific IP addresses or address ranges. | ipAllowlisting |
| Create Access Keys | Create your own access keys. | createAccessKeys |
| Manage Access Keys | Set up, activate, deactivate, or delete access keys for your organization. | manageAccessKeys |
| Manage Support Account Access | Enable management of the Sumo Logic support account for your organization. | manageSupportAccountAccess |
| Manage Audit Data Feed | Enable and manage the Audit Index, which provides information on internal events. | manageAuditDataFeed |
| Manage SAML | Provision and manage SAML for single sign-on. | manageSAML |
| Manage Share Dashboards Outside Organization | Share a dashboard with users who do not have Sumo Logic access. | shareDashboardOutsideOrg |
| Manage Organization Settings | Configure concurrent session limits and the Data Access Level for Shared Dashboards security policy. | manageOrgSettings |
| Change Data Access Level | Change the data access level of dashboards or scheduled searches. | changeDataAccessLevel |
Dashboards
| Capability | Description | Value in |
|---|---|---|
| Share Dashboards with the World | Share dashboards in view-only mode with no login required. | shareDashboardWorld |
| Share Dashboards with the Allowlist | Share dashboards in view-only mode; viewers must be on your service allowlist. | shareDashboardAllowlist |
User Management
| Capability | Description | Value in |
|---|---|---|
| Manage Users And Roles | Access the UI pages to manage users and roles. | manageUsersAndRoles |
Audit Event Management
| Capability | Description | Value in |
|---|---|---|
| Access Search Audit Events | View and download audit logs of search queries executed in the UI. | searchAuditIndex |
| Access Audit Events | View and download audit logs of admin and config events. | auditEventIndex |
Automation Service
| Capability | Description | Value in |
|---|---|---|
| Task View | See tasks in playbooks. | cloudSoarIncidentTaskView |
| Task Access | Access your tasks in playbooks. | cloudSoarIncidentTaskAccess |
| Task Access All | Access all user tasks in playbooks. | cloudSoarIncidentTaskAccessAll |
| Task Edit | Configure tasks in playbooks. | cloudSoarIncidentTaskEdit |
| Task Reassign | Assign tasks in playbooks to users. | cloudSoarIncidentTaskReassign |
| App Central Access | View App Central. | cloudSoarAppCentralAccess |
| App Central Export | Export integrations and playbooks from App Central. | cloudSoarAppCentralExport |
| Integrations Access | View integrations. | cloudSoarIntegrationsAccess |
| Integrations Configure | Create and edit integrations. | cloudSoarIntegrationsConfigure |
| Playbooks Access | View playbooks. | cloudSoarPlaybooksAccess |
| Playbooks Configure | Create and edit playbooks. | cloudSoarPlaybooksConfigure |
| Bridge Monitoring Access | Monitor Bridge operations. | cloudSoarBridgeMonitoringAccess |
| Observability Access | Access automation in the SaaS Log UI. | cloudSoarObservabilityAccess |
| Observability Configure | Create and edit automation in the Sumo Logic SaaS Log Analytics Platform. | cloudSoarObservabilityManagement |
Alerting
| Capability | Description | Value in |
|---|---|---|
| View Monitors | If folder perms are enabled, view folders & monitors you have access to. | viewMonitorsV2 |
| Manage Monitors | Create folders & monitors, grant perms, and (with folder perms) full CRUD on folders you control. | manageMonitorsV2 |
| Admin Monitors | With folder perms, full CRUD & grant on all folders & monitors. | adminMonitorsV2 |
| View Alerts | View alerts on the Alert page. | viewAlerts |
| View Muting Schedules | View Muting Schedules. | viewMutingSchedules |
| Manage Muting Schedules | Create, edit, and delete Muting Schedules. | manageMutingSchedules |
Usage Management
| Capability | Description | Value in |
|---|---|---|
| View Usage Management | View usage management. | viewUsageManagement |
| Manage Usage Management | Manage usage management. | manageBudgets |
Reliability Management
| Capability | Description | Value in |
|---|---|---|
| View SLOs | View Service Level Objectives (SLOs). | viewSlos |
| Manage SLOs | Create, edit, and delete SLOs. | manageSlos |
Threat Intel
| Capability | Description | Value in |
|---|---|---|
| View Threat Intel Data Store | View the Threat Intelligence tab. | viewThreatIntelDataStore |
| Manage Threat Intel Data Store | Create, edit, and delete threat intel sources. | manageThreatIntelDataStore |
Organizations
| Capability | Description | Value in |
|---|---|---|
| View Organizations | View the Organizations UI. | viewOrganizations |
| Create Organizations | Create and provision child organizations. | createOrganizations |
| Change Credits Allocation | Change the credits allocation for a child organization. | changeCreditsAllocation |
| Create Trial Organizations | Create trial organizations (Service Providers only). | createTrialOrganizations |
| Upgrade Trial Organizations | Upgrade trial organizations (Service Providers only). | upgradeTrialOrganizations |
| Deactivate Organizations | Deactivate trial organizations (Service Providers only). | deactivateOrganizations |
Cloud SOAR
Cloud SOAR capabilities appear in the roles UI only if Cloud SOAR has been enabled for your account.
info
This section is for our Cloud SOAR SaaS version. If you have a legacy Cloud SOAR instance URL matching the pattern *.soar.sumologic.com, see Legacy Cloud SOAR.
| Capability category | Capability | Description | Value in |
|---|---|---|---|
| View Cloud SOAR | Show “Cloud SOAR” link in nav. | viewCloudSoar | |
| Incident | View | View all incidents. | cloudSoarIncidentView |
| Incident | Access | Access your incidents. | cloudSoarIncidentAccess |
| Incident | Access All | Access all incidents. | cloudSoarIncidentAccessAll |
| Incident | Edit | Create, edit, delete incidents. | cloudSoarIncidentEdit |
| Incident | Bulk Operations | Manage incident bulk operations. | cloudSoarIncidentBulkOperations |
| Incident | Manage Investigators | Assign/remove investigators. | cloudSoarIncidentManageInvestigators |
| Incident | Change Ownership | Change incident ownership. | cloudSoarIncidentChangeOwnership |
| Triage | View | View all triage. | cloudSoarIncidentTriageView |
| Triage | Access | Access your triage events. | cloudSoarIncidentTriageAccess |
| Triage | Access All | Access all triage events. | cloudSoarIncidentTriageAccessAll |
| Triage | Change Ownership | Change triage ownership. | cloudSoarIncidentTriageChangeOwnership |
| Triage | Edit | Create, edit, delete triage events. | cloudSoarIncidentTriageEdit |
| Triage | Bulk Physical Delete | Bulk-delete triage events. | cloudSoarIncidentTriageBulkPhysicalDelete |
| Folders | Edit | Create, edit, delete playbook folders. | cloudSoarIncidentFoldersEdit |
| Attachments | Access | View attachments. | cloudSoarIncidentAttachmentsAccess |
| Attachments | Edit | Create, edit, delete attachments. | cloudSoarIncidentAttachmentsEdit |
| Incident Playbook | Access | View playbooks. | cloudSoarIncidentPlaybooksAccess |
| Incident Playbook | Edit | Create, edit, delete playbooks. | cloudSoarIncidentPlaybooksEdit |
| Incident Playbook | Manage | Manage playbook lifecycle. | cloudSoarIncidentPlaybooksManage |
| Note | Access | View notes. | cloudSoarIncidentNotesAccess |
| Note | Edit | Create, edit, delete notes. | cloudSoarIncidentNotesEdit |
| War Room | Use | Participate in War Room. | cloudSoarIncidentWarRoomUse |
| Settings General | Configure | Configure global settings. | cloudSoarGeneralConfigure |
| User Management | Groups | Manage groups. | cloudSoarUserManagementGroups |
| Notification | Configure | Configure notifications. | cloudSoarNotificationConfigure |
| Customization | Logo | Customize logo. | cloudSoarCustomizationLogo |
| Customization | Fields | Customize fields. | cloudSoarCustomizationFields |
| Customization | Incident Labels | Customize incident labels. | cloudSoarCustomizationIncidentLabels |
| Customization | Triage | Customize triage UI. | cloudSoarNotificationTriage |
| Audit & Info | License Information | View license audit info. | cloudSoarAuditAndInformationLicenseInformation |
| Audit & Info | Audit Trail | View audit trail. | cloudSoarAuditAndInformationAuditTrail |
| Audit & Info | Configure Audit Trail | Configure audit trail. | cloudSoarAuditAndInformationConfigureAuditTrail |
| API | Use | Use the Cloud SOAR API. | cloudSoarAPIUse |
| API | API Admin | Administer Cloud SOAR API. | cloudSoarAPIAdmin |
| API | Email Read | Read email artifacts. | cloudSoarAPIEmailRead |
| API | Email Edit | Create, edit, delete email artifacts. | cloudSoarAPIEmailEdit |
| Incident Templates | Access | View incident templates. | cloudSoarIncidentTemplatesAccess |
| Incident Templates | Configure | Configure incident templates. | cloudSoarIncidentTemplatesConfigure |
| Automation Rules | Access | View automation rules. | cloudSoarAutomationRulesAccess |
| Automation Rules | Configure | Configure automation rules. | cloudSoarAutomationRulesConfigure |
| Entities | Access | View entities. | cloudSoarEntitiesAccess |
| Entities | Manage | Create, edit, delete entities. | cloudSoarEntitiesManage |
| Entities | Bulk Physical Delete | Bulk-delete entities. | cloudSoarEntitiesBulkPhysicalDelete |
| Report | Access | View reports. | cloudSoarReportAccess |
| Report | Access All | Access all reports. | cloudSoarReportAll |
| Dashboard | Access | View dashboards. | cloudSoarDashboardAccess |
| Dashboard | Access All | Access all dashboards. | cloudSoarDashboardAll |
| Widgets | Use All | Use all widgets. | cloudSoarWidgetsAll |
Legacy Cloud SOAR
| Capability | Description |
|---|---|
| View Cloud SOAR | Show “Cloud SOAR” link in nav (legacy URL). |
| Settings General | Configure legacy settings. |
| Configure | Update legacy configuration. |
Cloud SIEM
Cloud SIEM features only show if enabled.
| Capability | Description | Value in |
|---|---|---|
| View Cloud SIEM | Show “Cloud SIEM” link in nav. | viewCse |
Insights
| Capability | Description | Value in |
|---|---|---|
| Comment on Insights | Add comments to Insights. | cseCommentOnInsights |
| Create Insights | Create new Insights. | cseCreateInsights |
| Delete Insights | Delete existing Insights. | cseDeleteInsights |
| Invoke Insights Actions | Run an Action on an Insight. | cseInvokeInsights |
| Manage Insight Assignee | Change who’s assigned to an Insight. | cseManageInsightAssignee |
| Manage Insight Signals | Add/remove Signals on an Insight. | cseManageInsightSignals |
| Manage Insight Status | Change an Insight’s status. | cseManageInsightStatus |
| Manage Insight Tags | Add/delete tags. | cseManageInsightTags |
Content
| Capability | Description | Value in |
|---|---|---|
| View Rules | View rules. | cseViewRules |
| Manage Rules | Create, edit, delete rules. | cseManageRules |
| View Threat Intelligence | View threat intel sources. | cseViewThreatIntelligence |
| Manage Threat Intelligence | Create, edit, delete threat intel sources. | cseManageThreatIntelligence |
| View Match Lists | View Match Lists. | cseViewMatchLists |
| Manage Match Lists | Create, edit, delete Match Lists. | cseManageMatchLists |
| View File Analysis | View YARA rules. | cseViewFileAnalysis |
| Manage File Analysis | Create, edit, delete YARA rules. | cseManageFileAnalysis |
| View Custom Insights | View custom Insights. | cseViewCustomInsights |
| Manage Custom Insights | Create, edit, delete custom insights. | cseManageCustomInsights |
| View Network Blocks | View network blocks. | cseViewNetworkBlocks |
| Manage Network Blocks | Create, edit, delete network blocks. | cseManageNetworkBlocks |
| View Suppressed Entities | View suppressed entities. | cseViewSuppressedEntities |
| Manage Suppressed Entities | Suppress/unsuppress entities. | cseManageSuppressedEntities |
Configuration
| Capability | Description | Value in |
|---|---|---|
| View Mappings | View mappings. | cseViewMappings |
| Manage Mappings | Create, edit, delete mappings. | cseManageMappings |
| View Workflow | View detection settings, statuses, resolutions, tag schemas. | cseViewCustomInsightStatuses |
| Manage Workflow | Create, edit, delete detection settings, statuses, resolutions, tag schemas. | cseManageCustomInsightStatuses |
| View Context Actions | View Context Actions. | cseViewContextActions |
| Manage Context Actions | Create, edit, delete Context Actions. | cseManageContextActions |
| View Actions | View Actions. | cseViewActions |
| Manage Actions | Create, edit, delete Actions. | cseManageActions |
| View Enrichments | View enrichments. | cseViewEnrichments |
| Manage Enrichments | Upload enrichment data via API. | cseManageEnrichments |
| View Custom Entity Types | View custom entity types. | cseViewCustomEntityType |
| Manage Custom Entity Types | Create, edit, delete custom entity types. | cseManageCustomEntityType |
| View Entity | View Entities. | cseViewEntity |
| Manage Entity | Create, edit, delete entities. | cseManageEntity |
| View Entity Normalization | View Domain Normalization settings. | cseViewEntityConfiguration |
| Manage Entity Normalization | Update Domain Normalization settings. | cseManageEntityConfiguration |
| View Entity Criticality | View Entity Criticalities. | cseViewEntityCriticality |
| Manage Entity Criticality | Create, edit, delete entity criticalities. | cseManageEntityCriticality |
| View Tag Schemas | View tag schemas. | cseViewTagSchemas |
| Manage Tag Schemas | Create, edit, delete tag schemas. | cseManageTagSchemas |
| Manage Favorite Fields | Add/remove favorite fields in Records UI. | cseManageFavoriteFields |
| View Entity Groups | View Entity Groups. | cseViewEntityGroups |
| Manage Entity Groups | Create, edit, delete entity groups. | cseManageEntityGroups |
| View Automations | View automations. | cseViewAutomations |
| Manage Automations | Create, edit, delete automations. | cseManageAutomations |
| Execute Automations | Run automations. | cseExecuteAutomations |