# Roles

## Getting Here <a href="#getting-here" id="getting-here"></a>

**Settings > User Management > Roles Page**

***

## User Management - Roles Page <a href="#user-management---roles-page" id="user-management---roles-page"></a>

The **Roles Page** under User Management allows administrators to manage user roles, their associated permissions, and enable role-specific capabilities. This page provides a clear breakdown of roles, functions, and access levels.

***

### Page Overview <a href="#page-overview" id="page-overview"></a>

#### Top Action Button <a href="#top-action-button" id="top-action-button"></a>

* **ADD ROLE**
  * **Description**: Allows administrators to create a new role with customized permissions and capabilities.

***

### Roles Table <a href="#roles-table" id="roles-table"></a>

The table displays all existing roles, including their capabilities and permissions. The following columns are available:

| **Field**           | **Description**                                                                |
| ------------------- | ------------------------------------------------------------------------------ |
| **Name / Desc**     | The name of the role with an optional description outlining its purpose.       |
| **Masquerading**    | Indicates if the role has masquerading enabled (i.e., impersonation of users). |
| **Send NetoFlow**   | Shows whether the role can send NetoFlow data.                                 |
| **Send NetoDNS**    | Shows whether the role can send NetoDNS data.                                  |
| **View Audit Logs** | Indicates if the role has permission to view audit logs.                       |
| **Permissions**     | A breakdown of the permissions assigned to the role, including:                |
|                     | - **Account**: General account access.                                         |
|                     | - **Data Management**: Access to manage data.                                  |
|                     | - **Detect & Respond**: Permission to detect and respond to security events.   |
|                     | - **Portal**: Access to portal functionalities.                                |

***

#### Example Table Output <a href="#example-table-output" id="example-table-output"></a>

| **Name / Desc**          | **Masquerading** | **Send NetoFlow** | **View Audit Logs** | **Permissions**                                        |
| ------------------------ | ---------------- | ----------------- | ------------------- | ------------------------------------------------------ |
| **label\_maker**         | -                | -                 | -                   | Account, **DATA MANAGEMENT**                           |
| **admin**                | ENABLED          | ENABLED           | ENABLED             | Account, **DATA MANAGEMENT**, DETECT & RESPOND, PORTAL |
| **cloud\_automation**    | -                | -                 | -                   | Account, **DATA MANAGEMENT**                           |
| **neto\_flow**           | ENABLED          | ENABLED           | ENABLED             | Account, **DATA MANAGEMENT**, DETECT & RESPOND, PORTAL |
| **report\_user**         | ENABLED          | ENABLED           | ENABLED             | Account, **DATA MANAGEMENT**, PORTAL                   |
| **readonly**             | ENABLED          | ENABLED           | ENABLED             | Account, **DATA MANAGEMENT**, DETECT & RESPOND, PORTAL |
| **operational\_manager** | ENABLED          | ENABLED           | ENABLED             | Account, **DATA MANAGEMENT**, DETECT & RESPOND, PORTAL |

***

### Key Functionalities <a href="#key-functionalities" id="key-functionalities"></a>

1. **ADD ROLE**
   * Create new roles with specific permissions and enable or disable capabilities such as:
     * Masquerading
     * Send NetoFlow
     * View Audit Logs
2. **Permissions**
   * Assign specific access and control levels to roles, including:
     * Account
     * Data Management
     * Detect & Respond
     * Portal
3. **Role Management**
   * View, update, and manage permissions for all roles.

***

### Notes <a href="#notes" id="notes"></a>

* Roles like **admin** and **readonly** are commonly used system roles with predefined permissions.
* Use the **Masquerading** capability carefully as it allows impersonating other users.
* Permissions such as **DATA MANAGEMENT** and **DETECT & RESPOND** control access to sensitive and critical features.

***

### System Roles <a href="#system-roles" id="system-roles"></a>

Netography offers four default roles, which any user or API key can be assigned. These roles are:

* System Administrator `admin`\
  This role has full management privileges for all aspects of the portal and API. For resellers, this role can masquerade as a System Administrator in a sub account.
* Operational Manager `operational_manager`\
  This role has management privileges for all aspects of the portal and API, except Account and Security based settings. Meaning they are an admin for everything except creating roles, users, SSO config and API Keys. For resellers, this role can masquerade as an Operational Manager in a sub account.
* Report User `report_user`\
  This role has management access to dashboards, but can not edit any other aspects of the portal nor API (threat models, devices, integrations, users, API Keys, etc.). For resellers, this role can masquerade as a Report User in a sub account.
* Read-only User `readonly`\
  This role only has view/get privileges for all aspects of the portal and API. For resellers, this role can masquerade as a Read-only user in a sub account.
* NetoFlow User `neto_flow`\
  Role specifically for the NetoFlow Connector. It has no other portal nor API permissions, other than to send the flow to Netography.

{% hint style="danger" %}
**❗️You must have at least one user with the System Administrator role at all times.**
{% endhint %}

### Custom Roles <a href="#custom-roles" id="custom-roles"></a>

In addition to the predefined system roles, custom roles can be created which give admins the ability to override default access settings, providing granular control over which capabilities a user or API key can manage in the portal and API.

Access controls can either be set per class of objects in the portal and can either be `readonly`, or a combination of management criteria: `create`, `update` and/or `delete`(checkboxes for these options appear when you toggle a permission from read-only to manage).

{% hint style="warning" %}
**🚧When using SSO, be sure to add these custom roles to the SAML Attribute role mappers.**
{% endhint %}

For accounts with sub-account management enabled, custom roles can also enable or disable masquerading into the sub-accounts. However, any user that is assigned a custom role, and masquerades to a sub-account, will assume the `admin` role for the sub-account.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/settings/user-management/index-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.