Role-Based Access Control

Through our investment in APIs and integrations we aim to provide customers and partners with the core capabilities of the Carbon Black Cloud, securely and flexibly integrated within their security stack. To do so, we’re launching a new workflow featuring Custom Access Levels for API Keys, which allows customers to apply access controls and create least-privileged API keys.

This workflow will help us deliver more value through API Keys with a new set of API points to manage alerts and endpoints.

  • With the rollout of User Roles and Access Levels, it is easy to customize your access to the Carbon Black Cloud APIs.
  • Whenever possible, use API Keys with least privileged access.
  • Custom API Key Access Levels can be assigned User Roles or Access Levels.
  • Access to Carbon Black Cloud using a Custom API Key Access Level can be restricted to authorized IP Addressse.

The details on this page apply when Carbon Black Cloud is used to manage identities and roles. If VMware Cloud Services Platform is used, then the principles are consistent and there are equivalent steps.

Information on determining which identity manager your organization uses is here.

User Roles

User Roles are accessible in the Carbon Black Cloud Console under Settings > Roles.

Create custom roles with specific permission levels. Roles are available to assign to your console users from the Users page.

  • When selecting permissions for your user roles, reference the permission descriptions for additional detail, as needed.
  • To add a new role click Add Role.
  • Enter a unique name and description for the new role.
    • To add and remove permissions from an existing set of permissions, select a role from the copy permissions from dropdown, to use as a template.
    • To select permissions without a template, set copy permissions from to None.
  • Select or unselect the desired permissions for the role, then click Save.

Access Levels

  • Access Levels allow Carbon Black Cloud organization administrators to define granular authorization permissions to API Keys.
  • An Access Level is a combination of multiple individual permissions.
  • Each individual permission has Create, Read, Update, Delete, and Execute operations.
    • Each individual permission has one or more of the C, R, U, D, E operations available to be enabled or disabled.
  • As we continue to update and improve our APIs, additional routes will be made available in future releases to allow full customization of permissions and access levels.


An access level is made up of multiple individual permissions.

  • Permissions are uniquely identified by their .notation name.
  • Each permission has one or more Create, Read, Update, Delete, and Execute operations available to be selected.

Access Levels in the Console

View access levels in the Carbon Black Cloud Console under Settings > API Keys > Access Levels (Tab). To create access levels, follow these steps:

  • Navigate to Settings > API Access > Access Levels.
  • Click Add Access Levels.
  • Enter a unique name and description for the new access level.


  1. Create a new Access Level and name it Help Desk Scripts.
  2. Add permissions (using notation names) - livequery.manage, org.feeds.
    1. For livequery.manage, assign create and read operation(s).
    2. For org.feeds, assign create and read operation(s).
  3. Save the access level.
  4. Create a new API Key and assign the custom access level as developer.example.

You have now created an API Key which has the ability to:

  • Create LiveQuery Runs
  • Read LiveQuery Run Results
  • Create Enterprise EDR (ThreatHunter) Feeds
  • Read Enterprise EDR (ThreatHunter) Feeds

Last modified on December 5, 2023