Add “View-Only” User role for Dashboards, Threat Management, and Incidents

[mjabascal10]

Describe the feature

Introduce a new user role with read-only (view-only) permissions, allowing users to access and review data in Dashboards, Threat Management, and Incidents modules without the ability to modify, delete, or trigger any actions.

Use Case

Enhance role-based access control (RBAC) by providing a permission level suitable for analysts, auditors, or external reviewers who need visibility into security data but should not perform operational changes.

Proposed Solution

dd a new user role, e.g., VIEW_ONLY_USER or READ_ONLY_ANALYST.
• Grant the following permissions:
•. View Dashboards: Full access to dashboard visualizations and metrics.
• View Threat Management: Can browse alerts, investigate details, and view echoes but cannot modify states or create rules.
• View Incidents: Can view incident details, timelines, and response actions, but cannot edit or close incidents.
• Restrict all write actions, including:
• Creating or editing incidents, alerts, or rules.
• Changing alert statuses.
• Deleting or tagging items.

Other Information

Expected Behavior
• Users with the view-only role can navigate normally across the assigned modules but see disabled or hidden action buttons (edit, delete, tag, etc.).
• Attempting restricted actions should display a permission message (e.g., “You don’t have permission to perform this action.”).
• Role is fully compatible with existing authentication and authorization mechanisms.

Impact
• Improves security and compliance by preventing unauthorized changes.
• Enables safe sharing of platform visibility with external stakeholders or junior analysts.
• Aligns with common least-privilege access best practices.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change