Viewer
Read-only access
Analyst
Respond to security events
Admin
Full platform control
Viewer
Read-only access to security data. Best for stakeholders and observers. Can:- View detections and cases
- View assets (users, endpoints, files, IPs)
- View integrations
- View team settings
- Search the data lake (events)
- Update cases or detections
- Create custom detections
- Take containment actions
- Configure integrations
- Manage team members
Analyst
View and respond to security events. Best for SOC analysts and security engineers. Everything Viewers can do, plus:- Update cases and detections
- Add case notes and attachments
- Create custom detections
- Take containment actions (contain/uncontain users and endpoints)
- Test chat-ops
- Manage integration configuration (for select integrations, once added by an Admin)
- Add or remove integrations
- Manage team members
- Manage containment policies
- Manage exclusions
- Manage asset automations
- Manage verdicts
- Run integration actions
Admin
Full platform control. Best for security team leads and platform administrators. Everything Analysts can do, plus:- Configure integrations (add, update, delete)
- Manage team members (invite, remove, change roles)
- Manage containment policies
- Manage exclusions
- Manage asset automations
- Manage verdicts
- Manage chat-ops
- Run integration actions
- Update team settings and billing
Managing Roles
Changing a Team Member’s Role
- Navigate to Settings > Team
- Find the team member in the Team Members table
- Click the three-dot menu and select Change Role
- Choose Viewer, Analyst, or Admin
Only Admins can change team member roles.
Role Comparison
| Permission | Viewer | Analyst | Admin |
|---|---|---|---|
| View detections & cases | ✓ | ✓ | ✓ |
| View assets | ✓ | ✓ | ✓ |
| View integrations | ✓ | ✓ | ✓ |
| View team settings | ✓ | ✓ | ✓ |
| Search the data lake | ✓ | ✓ | ✓ |
| Update cases & detections | ✓ | ✓ | |
| Add case notes | ✓ | ✓ | |
| Create custom detections | ✓ | ✓ | |
| Take containment actions | ✓ | ✓ | |
| Test chat-ops | ✓ | ✓ | |
| Manage integration configuration | ✓ | ✓ | |
| Add/remove integrations | ✓ | ||
| Manage team members | ✓ | ||
| Manage containment policies | ✓ | ||
| Manage exclusions | ✓ | ||
| Manage asset automations | ✓ | ||
| Manage verdicts | ✓ | ||
| Manage chat-ops | ✓ | ||
| Run integration actions | ✓ |
Team API Keys
Team API keys can be created with any role (Viewer, Analyst, or Admin) and have the same permissions as a team member with that role. To create a team API key:- Navigate to Settings > Team
- Scroll to Team API Keys
- Provide a name, role, and expiration (1-720 days)
- Copy and securely store the token (it will only be displayed once)
FAQ
Can a team member have different roles on different teams?
Can a team member have different roles on different teams?
Yes. If you’re part of multiple teams, you can have different roles on each team.
Can Viewers see sensitive data like credentials?
Can Viewers see sensitive data like credentials?
No. Integration credentials and API keys are never displayed to any role, including Admins. You can only add or update them, not view existing values.
What happens if I accidentally remove the last Admin?
What happens if I accidentally remove the last Admin?
You cannot remove the last Admin from a team. Wirespeed requires at least one Admin per team to ensure the team can be managed.