CrowdStrike Falcon allows administrators to assign custom roles and permissions to users, ensuring least privilege access and role-based security management. By properly configuring user roles, organizations can control access to security settings, investigations, and threat response actions.
This guide explains how to create, assign, and manage user roles in the Falcon Console.
Step 1: Log Into the Falcon Console
- - Open a browser and go to the CrowdStrike console. There are two possibilities:
-
Sign in using your admin credentials.
-
In the left-hand menu, navigate to Settings > Users & Roles.
Step 2: Review Default Roles in CrowdStrike
CrowdStrike Falcon provides several predefined roles that can be assigned to users:
| **Role Name** | **Permissions** |
|---|---|
| **Administrator** | Full access to all settings, sensors, and API integration. |
| **Analyst** | Read-only access to detections, reports, and activity monitoring. |
| **Investigator** | Ability to access and analyze threat intelligence but not modify policies. |
| **Responder** | Can **contain hosts**, remove threats, and initiate real-time response. |
| **Sensor Manager** | Manage sensor deployments and configurations. |
Step 3: Create a Custom User Role
- - In **Users & Roles**, click the **Roles** tab.
- Click **Create Role**.
- Enter a **Role Name** and **Description**.
- Select the **permissions** the role should have:
-
Read-Only (View detections and reports but cannot take action).
-
Standard (Manage endpoints and respond to threats).
-
Full Access (Modify policies, containment, and sensor settings).
-
Click Save Role.
Step 4: Assign a Role to a User
- - Go to **Users & Roles > Users**.
- Click **Invite User** (or edit an existing user).
- Enter the user's **email address** and select their **role**.
- Assign **specific permissions** (if applicable).
- Click **Send Invitation**.
Step 5: Modify or Remove a User Role
- - In **Users & Roles > Roles**, locate the role you want to modify.
- Click **Edit** to adjust permissions.
- To delete a role, click **Delete Role** (cannot be undone).
Best Practices for Role Management
Principle of Least Privilege
Always assign the minimum permissions necessary for users to perform their job functions. This reduces the risk of accidental or malicious misuse of privileged access.
Regular Access Reviews
- Conduct quarterly reviews of user roles and permissions
- Remove access for users who have changed roles or left the organization
- Audit custom roles to ensure they still align with business needs
Role Naming Conventions
Use clear, descriptive names for custom roles that indicate their purpose:
- Good examples: "SOC-Analyst-L1", "IR-Team-Lead", "Compliance-Auditor"
- Avoid generic names: "Custom Role 1", "Test Role", "Special Access"
Documentation
Maintain documentation for all custom roles including:
- Purpose and intended users
- Permissions granted and rationale
- Approval and review history
- Date created and last modified
Common Custom Role Examples
SOC Analyst (Tier 1)
Permissions
- View detections and alerts
- Access host information
- View threat intelligence
- Run queries in Event Search
Restrictions
- Cannot contain hosts
- Cannot modify prevention policies
- Cannot delete detections
Incident Responder
Permissions
- All SOC Analyst permissions
- Real-time response access
- Host containment/lift containment
- Execute response actions
Restrictions
- Cannot modify sensor deployment
- Cannot access user management
Compliance Auditor
Permissions
- Read-only access to all detections
- Access to reports and dashboards
- View prevention policies
- Export data for compliance reporting
Restrictions
- No modification rights
- Cannot execute response actions
Troubleshooting
User Cannot Access Specific Features
If a user reports they cannot access expected features:
- - Verify their assigned role in **Users & Roles > Users**
- Check if the role has the necessary permissions
- Confirm the user has completed their Falcon Console registration
- Check if there are any IP restrictions or conditional access policies
- Allow 5-10 minutes for role changes to propagate
- Ask the user to log out and log back in
- Clear browser cache and cookies
Cannot Delete a Role
You cannot delete a role if:
- Users are currently assigned to that role (reassign them first)
- It is a predefined system role
Additional Resources
*Last reviewed: January 2025*
*Applies to: CrowdStrike Falcon Console*