Skip to main content
Version: 25.10 (Latest)

User Management

On the Users page, you can manage user access to the Cyberhaven Console. Go to Preferences > Users.

The Users table provides an overview of the Console users. The table displays the user's role, access privileges, authentication provider, two-factor authentication status, and user status. When a user has access to the Console, their status is shown as "Active". But, if a user has received an invitation to access the Console but has not yet accepted it, their status is shown as "Invite Pending".

Add a user

To invite a user to the Console,

1. Click Invite a Member.

2. In the Invite user to Cyberhaven window, enter the email address of the user.

3. Select a user role from the Roles drop-down list.

4. Select the scope of access for the user from the Scope drop-down list.

5. Click Invite.

You will get a confirmation message that the invitation link was sent. The user will receive an email invitation from Cyberhaven Notifications

noreply@cyberhaven.info that contains a one-time activation link. For security purposes, activation links are only valid for 6 hours. If the user does not accept the invitation, the status in the Users table will be displayed as "Invite pending".

To send a refreshed activation link, click on the Actions menu for the user in the table and select Reset auth provider.

Account Signup

When the user clicks on the activation link, they will be presented with a page with the option to accept the invite.

The user may choose to sign up with a Microsoft account, a Google account, or a standalone password. As an option, any other authentication provider that has been configured in the Cyberhaven Console may also be used. After choosing a sign-up method, the user can now login to the Console using their chosen

identity provider.

Remove a user

To remove a user account from the Cyberhaven Console,

1. From the Users table, click on the Actions menu for the user you want to remove.

2. Click Delete this user.

3. Click Yes on the confirmation message.

Multifactor Authentication Setup

Users relying on password-based authentication for their accounts can choose to enable SMS-based multifactor authentication. (This is not presented as an option for accounts secured via SAML providers, as those providers can enforce MFA on their own.)

To setup SMS-based MFA,

1. Click on the user profile icon just above the blue chat bubble near the bottom left of the Console. The icon displays the first letter of the user's email address.

2. Select Account Settings.

3. On the following page, click Enable to the right of Setup phone MFA. 4. Enter the phone number beginning with + along with the country code— for example, +18085551212—and click Send Code.

5. Complete the CAPTCHAand enter the code you received via SMS. You will receive an email confirming that the setup is complete.

Roles

On this page, you can create and manage user roles within the Cyberhaven Console. Go to Preferences > Roles and Scopes.

Arole helps you define a user's permissions within the Cyberhaven Console. You can view the list of all the roles and create new roles on the roles tab. The Global Admin role is predefined and cannot be modified or deleted. The Assigned To column displays the number of users assigned to this role. The table also displays the total number of permissions for each role.

The default roles in the Console are listed below in the order of highest to lowest privilege level.

Global Admin: This user role has the highest level of privilege. Auser in this role has full access to the Console.

Security Admin: This user role has full access to view and manage security data on the Risks Overview, Insider Risk, Cloud Sensor, and Endpoint Sensor pages. The role also allows full access to manage Settings but only restricted access to the Incidents page. The default role configuration does not include the ability to access event details. Security Analyst Level 2: This user role allows investigation of incidents with access to file contents and screenshots. The role is set with read-only permissions for the Risks Overview page and provides limited access to the Insider Risk and Settings pages.

Security Analyst Level 1: This user role allows limited investigation of incidents. In this role, the user cannot access file contents and

screenshots. The role is set with read-only permissions for the Risks Overview page and provides limited access to the Insider Risk and Settings pages.

Creating a new role

1. Click on Create a Role.

2. In the New Role window, enter a role name and a brief description of the role.

3. Select the Role kind.

User: Has permission to access the Cyberhaven Console.

API Key: Has permission to use the API endpoints. See, API v2. 4. Select the level of permissions you want to assign to this role. The options are Read, Create, Update, and Delete.

5. Click Save to create the role. The new role is displayed in the Roles table.

Assigning the role to a user

You can assign the role to a user which will define their permissions within the Cyberhaven Console.

1. Navigate to Preferences > Users.

2. Click on the Actions menu for a user and select Change role. The role settings are displayed in a pop-up window.

Additionally, when inviting a new user to the Console, you have the option to assign them a specific role.

Editing a role

1. Click on the actions menu for that role and select Edit Role.
2. On the Edit Role page, modify the permissions and click Save. Deleting a role

1. Click on the actions menu for that role and select Delete Role. 2. On the confirmation pop-up window, click Yes.

PII Field Masking

The Cyberhaven platform captures several PII fields as part of the event metadata. This feature allows you to control which users can view sensitive

fields, such as names and email addresses, within the Cyberhaven Console and the API by assigning role-based permissions.

Users without this permission will see sensitive field values displayed as masked.

The following screenshot shows how a user without this permission will view the data.

Setting the Permission

You can manage user permissions to view PII data from the Roles page under Preferences > Roles and Scopes.

Enable this permission to grant users with this role access to view PII data.

Disabled this permission to restrict access to PII data.

List of PII Fields

The following is a full list of fields considered to have PII information within the platform.

AI explanation

App command line

App main window title

Assigned to

Browser page title

Cloud app account

Cloud destination account

Cloud destination accounts

Cloud destination groups

Cloud messaging groups

Cloud messaging users

Destination file path

Destination location outline

Directory user groups

Email account

Email groups

File path

First name

Full name

Group name

Hostname

Last name

Local machine name

Local user groups

Local user name

Manager email

Manager name

Phone number

Primary address city

Primary address country

Primary address region

Primary address street address

Primary address zip code

Primary email

Printer name

Removable device name

Resolved by

Source file path

Source location outline

User

Users

API Role

Cyberhaven provides external APIs that can be used to configure the platform and query data. The user must have an API role to use the APIs.

Creating an API role

1. Click on Create a Role and enter a role name and description. 2. Under Role kind, select API Key.

3. Select the permissions and click Save.

API User Permissions

An API Key role grants permission to access the following features using API endpoints.

Event Details for Dashboard: Use the EventService APIs to retrieve details about specific events from the Events page.

Incidents: Use the IncidentService API to retrieve details about specific incidents from the Incidents page.

Linea AI Summaries: Use the IncidentService API to retrieve the AI summaries for incidents.

Endpoint Sensor Status: Use the EndpointService APIs to retrieve details about specific endpoints or delete endpoints from the Endpoint Sensors page.

Installer: Use the InstallerService API to get the binary installer file for the Latest, Previous, or specific Sensor version.

Lists: Use the ListService APIs to retrieve, create, update, or delete lists and list items.

Integration Destination: Use the StreamingDestinationsService API endpoints to retrieve details about the streaming destinations added to the Integrations page. See, Integrations.

Integration Configuration: Use the StreamingProfilesService API endpoints to retrieve details about the configured profiles for streaming destinations added to the Integrations page.

Integration Connection Log: Use the StreamingProfilesService API endpoints for the connection log to retrieve details about the connection history of a configured profile on the Integrations page. Aconnection log provides the history of Cyberhaven's connection to your destination URL.

To see our API explorer and documentation, in the Cyberhaven Console navigate to Administration > API specification.

To learn more about the APIs, see the API documentation.

Change Log

Updated on 02/19/2025: Updated the API User Permissions list.

Scopes

On this page, you can create and manage the scope of a user’s access within the Cyberhaven Console. Go to Preferences > Roles and Scopes.

The scope specifies the range of access a user has to datasets and risk groups within the Risks Overview and Insider Risk pages of the Cyberhaven Console. The table on the Scopes tab displays a list of all the scopes you have created. The Full Access scope is predefined and cannot be modified or deleted.

Creating a new scope

1. In the Scopes tab, click on New Scope.

2. In the New Access Scope window, enter a scope name and a brief description of the scope.

3. Select the scope of access to datasets. Options are the following: a. Full Access: Grants the user access to all datasets and their events.

b. Include: Restricts user access to the specified datasets and their events.

c. Exclude: Allows access to all datasets and related events, except those in the specified datasets.

4. Select the scope of access to User Risk Groups. You can create User Risk Groups on the Insider Risk page. Options are the following: a. Full Access: Grants the user access to all user risk groups created in the Cyberhaven Console and their events.

b. Include: Restricts user access to events within the specified user risk groups only.

c. Exclude: Allows access to all events, except those in the

specified user risk groups.

5. Click Save to create the scope. The new scope is added to the Scopes page.

Applying the scope

After you've created the scope, you can assign it to a user and define their access to specific datasets and user risk groups.

1. Navigate to Preferences > Users.

2. Click on the Actions menu for a user and select Change scope. Apop up window with the list of scopes is displayed.

3. Select the scope you want to assign to the user and click Save.

Additionally, when inviting a new user to the Console, you have the option to assign them a specific scope.

Editing a scope

1. Click on the actions menu for the scope and select Edit.

2. On the Edit Access Scope page, modify the access and click Save.

Deleting a scope

1. Click on the actions menu for the scope and select Delete.

2. On the confirmation pop-up window, click Delete.

User Notification Branding

Cyberhaven supports custom branding of user notifications with a logo. To configure custom notifications, click from the Cyberhaven console, followed by LOGO SETTINGS. You can now upload the image from your browser either by clicking on or by dragging and dropping an image. Image files up to 3MB are supported, in JPG or PNG formats.

After uploading an image, you can select if you wish the image to appear as a banner or to the left of the warning dialog message.

When a policy violation occurs that has end user notification enabled as part of Response Actions, the uploaded logo will be part of the warning message displayed to the user.