CrowdStrike Falcon allows administrators to assign custom roles and permissions to users, ensuring least privilege access and role-based security management. By properly configuring user roles, organizations can control access to security settings, investigations, and threat response actions.
This guide explains how to create, assign, and manage user roles in the Falcon Console.
Step 1: Log Into the Falcon Console
- Open a browser and go to https://falcon.crowdstrike.com.
- Sign in using your admin credentials.
- In the left-hand menu, navigate to Settings > Users & Roles.
Step 2: Review Default Roles in CrowdStrike
CrowdStrike Falcon provides several predefined roles that can be assigned to users:
| Role Name | Permissions |
|---|---|
| Administrator | Full access to all settings, sensors, and API integration. |
| Analyst | Read-only access to detections, reports, and activity monitoring. |
| Investigator | Ability to access and analyze threat intelligence but not modify policies. |
| Responder | Can contain hosts, remove threats, and initiate real-time response. |
| Sensor Manager | Manage sensor deployments and configurations. |
π Tip: If none of the default roles meet your needs, you can create a custom role.
Step 3: Create a Custom User Role
- In Users & Roles, click the Roles tab.
- Click Create Role.
- Enter a Role Name and Description.
- Select the permissions the role should have:
- Read-Only (View detections and reports but cannot take action).
- Standard (Manage endpoints and respond to threats).
- Full Access (Modify policies, containment, and sensor settings).
- Click Save Role.
Step 4: Assign a Role to a User
- Go to Users & Roles > Users.
- Click Invite User (or edit an existing user).
- Enter the userβs email address and select their role.
- Assign specific permissions (if applicable).
- Click Send Invitation.
π Note: The user will receive an email to complete their registration in the Falcon Console.
Step 5: Modify or Remove a User Role
- In Users & Roles > Roles, locate the role you want to modify.
- Click Edit to adjust permissions.
- To delete a role, click Delete Role (cannot be undone).
Best Practices for User Role Management
β
Use Least Privilege Access β Only grant permissions necessary for a userβs job role.
β
Regularly Review User Access β Remove or update roles for former employees or inactive accounts.
β
Separate Admin and Analyst Roles β Limit access to policy modifications to reduce risk.
β
Enable Multi-Factor Authentication (MFA) β Add an extra layer of security for Falcon Console access.