Disable a user in Cortex XSOAR. All user information is retained for disabled users and they can be enabled again at a later date.
In Cortex XSOAR, you can temporarily disable or Remove a User. Users should be disabled if they need access at a later date. All user information is maintained for disabled users.
If the user is assigned to incidents or tasks or is the owner of a dashboard, these assignments do not automatically change when the user is disabled.
Tip
We recommend changing incident and task assignments manually before disabling users.
After you disable a user, any dashboards the user has created can only be deleted by the default admin via the API, using the dashboard ID. To get the dashboard ID, click on the gear icon on the relevant dashboard page, export the dashboard as a JSON file, and copy the dashboard ID from the file. Send a request to /dashboards/:id route. For example, DELETE /dashboards/9dd50ef1-8a2b-48a5-821e-8238a87e2bdc.
Any reports the user has created remain available. Reports are not owned by specific users and can be edited or deleted by other users.
Note
When a user is disabled, the user’s API keys are not revoked, as opposed to removing a user.
Reassign incidents and tasks.
Go to the Incidents page and search for
-status:closed owner:to find any incidents the user is assigned to. Reassign any open incidents to another user.user_nameGo to the Incidents page and search for
-status:closed investigation.users:. Reassign tasks to another user.user_nameWhen a user is assigned a task in an incident, the user is added to the incident. This search finds all incidents where the user is a participant.
Disable the user.
Go to → → .
Select the user you want to disable.
If the user is a default admin, you need to select and deselect .
Click .
Confirm that you want to disable the user.