Analyst Groups
You can set up Analyst Groups in Configurations using the following steps:
Turn on the Display Analyst Groups flag to show the Analyst Groups tab under User Management. Users with the right permissions can start creating groups.
Before you can enable the feature, all active users must be assigned to at least one Analyst Group. You can create groups and assign users directly from the configuration panel. A progress counter helps track how many users still need to be assigned. This step ensures that no user is left without access to relevant data once the feature is turned on.
Once all users have been assigned to groups, turn on the Enable Analyst Groups flag. This activates group-based access across the Analyst Portal. From this point onward, users will only have access to data associated with their assigned groups.
When the Analyst Groups feature is enabled, you can view data based on the groups you belong to. Each Analyst Group is assigned one or more categories, so you will only see alerts, RFIs, intel submissions, ATT&CK Navigator heatmaps, dashboards, reports, emails, and Open API endpoints that fall under those assigned categories. This setup helps you focus on the most relevant data for your group.
When the feature is disabled, you will see data based on the categories assigned directly to you. This reflects the earlier behavior, where everyone with access to the same category could view the same set of data.
When Analyst Groups are enabled, your category-based access is overridden by the permissions of your Analyst Groups. You will only see data tied to the categories assigned to your groups, even if you had broader category access before.
Yes. A user can be part of multiple Analyst Groups. In that case, they will have access to all data associated with the categories assigned to any of those groups.
Yes. When the Analyst Groups feature is enabled, every user must be assigned to at least one Analyst Group to access data. Their visibility across the Analyst Portal depends on the categories assigned to the groups they belong to.
However, Root Admins and Admins are not part of any Analyst Group but continue to have unrestricted access to all data across the Analyst Portal. If a user’s role changes, for example, from an Admin to an Analyst, their data access will then depend on the Analyst Groups assigned to them.
Removing a user from an Analyst Group immediately revokes their access to all alerts, RFIs, intels, and other data previously available to them through that group. They will no longer be able to view or act on any items associated with that group’s assigned categories.
Once the Analyst Groups structure is enabled, access to alerts and other data is managed primarily based on the groups a user is part of. Previous access settings are overridden, and users can only view and manage data that is associated with their groups.
Yes, but users must be assigned to at least one group to be able to access any submissions or alerts. Groups without users will not have any analysts available to process member submissions.
If no users remain in an Analyst Group, the group still appears as an option when members submit RFIs, but there will be no analysts available to handle those submissions. To prevent gaps in handling member submissions, it is recommended to inactivate such groups if they no longer have users.
You can only modify the Analyst Groups and Category fields if you are part of all the analyst groups already associated with the alert. This ensures that only users with complete access to the alert can change its visibility or classification.
When you create an alert and assign Analyst Groups, those groups should be prefilled if you later edit, update, or clone the alert. However, some Analyst Groups may disappear if they were deactivated after the alert was created. Only active Analyst Groups will appear.
If you are unable to edit the Analyst Groups or Category fields in an alert, it is likely because you are not part of all the Analyst Groups currently assigned to that alert. You can still update other alert fields, but only users who belong to every assigned group can modify these specific fields. This helps preserve the integrity of group-level access controls.
Access depends on how the original submission was routed:
For RFIs, only the Analyst Groups selected by the member at the time of submission can view the RFI. If additional Analyst Groups are added later during alert creation, they can view only the published alert, not the original RFI.
For intel submissions, the intel is routed to Analyst Groups based on the category selected by the member. Only the Analyst Groups mapped to that category can view the submitted intel. If additional groups are added while creating the alert, they will have access to the alert, but not the original intel.
No. The Analyst Groups feature is currently not supported on the mobile app.
When a user is changed to an Admin or Root Admin role, they are automatically removed from any Analyst Groups they were part of. However, as an Admin or Root Admin, they will still have access to all groups and data across the platform, overriding the group-specific access controls. Their role grants them unrestricted access to all alerts and data, regardless of the groups they were assigned to.
If the user is later changed back to a role that requires Analyst Group access, you will need to manually reassign them to the appropriate groups. This will restore their access to the data associated with those groups, ensuring they can continue managing alerts and other group-specific tasks.