Manage user access - Manage access permissions for Cortex Cloud users. - Administrator Guide

Manage user access - Manage access permissions for Cortex Cloud users. - Administrator Guide - Cortex CLOUD

Cortex Cloud Posture Management Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Posture Management

Creation date

2025-01-22

Last date published

2026-06-10

Prerequisite

Managing users, roles, scopes, user groups, authentication settings in Cortex Cloud Access Management requires View/Edit RBAC permissions for Access Management (under Configurations). Account Admin and Instance Administrator roles are granted this permission by default. For more information, see Predefined user roles in Set up users, groups, and roles.

Review the following topics:

Manage access permissions for Cortex Cloud users.

Edit user permissions

Update a user's role and scope, add a user to a user group, and view permissions based on the role, scope, and user groups assigned to the user.

You can configure granular scoping for Scope-Based Access Control (SBAC) by granting access only to the relevant data that the user requires for their designated role. Administrators apply scopes to limit the data and content that users can be granted access to in Cortex Cloud, which are divided into different scoping areas. The scoping areas include Assets, Cases and Issues, and Endpoints, which can be applied as relevant to the enforcement area or entity. For more information, see Manage user scope.

Note

You can only reduce the permissions of an Account Admin user via Cortex Gateway.

Select Settings → Configurations → Access Management → Users.
Right-click the relevant user, and select Edit User Permissions.
Tip
To apply the same settings to multiple users, select them, and then right-click and select Edit User Permissions.
In the Role tab, under Role, select the default or custom role.
(Optional) Under User Groups, add the user to a group.
(Optional) Under Show Accumulated Permissions:
1. Do one of the following:
  - Select all to view the combined permissions for every role and user group assigned to the user.
  - Select a specific role assigned to the user to view the available permissions for that role.
2. Under Components, expand each list to view the permissions to the various Cortex Cloud components.
3. Under Datasets, there are two possibilities for viewing a user's dataset access permissions:
  - When dataset access management is enabled and the user has access to certain Cortex Query Language (XQL) datasets, the datasets are listed.
  - When dataset access management is disabled and users have access to all XQL datasets, the text No dataset has been selected is displayed.
Note
User permissions for components and datasets are based on the access permissions set in the user role. For more information on editing these user role permissions, see Manage user roles.

(Optional) You can configure granular scoping:

Click the Scope tab.

Under Scope Definition, expand the scoping areas that you want to grant the user role access to in the tenant by clicking the chevron icon (>) beside the scoping area title, and make any changes required. The following table explains the options available to configure:

Important

Before configuring, ensure that you review Understand scoping in the Manage user scope section.

Scoping Area	Granular Scoping Configurations
Assets	Set the Scope by selecting one of the following: No assets: No asset is accessible. All assets: Defines access to all assets. Select asset groups: Defines access to the specific assets associated with the Asset Groups selected, and to view all their related cases, issues, and findings for these specific assets and Asset Groups. Under Select asset groups, define the specific asset groups that you want to grant access. Only Asset Groups relevant for scoping are listed, which are asset groups that are using only the asset attributes listed in Manage user scope (under Understand scoping → Scoping Areas → Assets). The scoping of assets also affects the scoping of cases, issues, and findings. Note Visibility of Security domain Issues that refer to assets with agents is controlled by the Endpoints scoping configuration.
Cases and Issues	Set the Scope by selecting one of the following: No cases and issues: Defines access to no cases and issues. All cases and issues: Defines access to all cases and issues. Users can view cases or issues referencing assets within their scope. Use the Assets section to define which assets are in scope. Select domains: Defines access to the domains selected to view their related cases and issues. Under Select domains, define the specific domains that you want to grant access. Users can only view cases or issues referencing assets and endpoints within their scope. Use the Assets section to define which assets are in scope. When selecting All cases and issues or Select domains, you can separately configure access to issues and cases that lack an asset reference or where the referenced asset is not in All Assets and All Endpoints inventories. To provide access, select the Allow access to cases and issues that are not referencing known assets or endpoints checkbox. Once selected, you can specifically control which users have access to issues and cases that lack Affected Assets (as seen in the issue’s panel) and Assets (as seen in the case's panel), or where the listed assets are not part of the Asset or Endpoint inventories. When the assets listed are not part of the inventories, the asset string is typically non-clickable. In some cases, such as for identity-related issues, assets may open a dedicated User Risk View, which differs from the standard inventories panels. In the Issues and Cases tables, such items can be identified by empty values in the following columns: Asset IDs, Target Agent Identifier, and Source Agent Identifier.
Endpoints	Set the Scope by selecting one of the following: No endpoints: Defines access to no endpoints with no ability to view their related agent management and enterprise policies. All endpoints: Defines access to all endpoints with the ability to view their related agent management and enterprise policies. This configuration can impact the visibility of related Security domain Cases and Issues, but will not affect asset visibility. Select specific (at least one required): Defines specific access to all endpoint groups by selecting Endpoint Groups or all endpoint tags by selecting Endpoint Tags to view their related agent management and enterprise policies. This configuration can impact the visibility of related Security domain Cases and Issues, but will not affect asset visibility.

Scoping Area

Granular Scoping Configurations

Assets

Set the Scope by selecting one of the following:

No assets: No asset is accessible.
All assets: Defines access to all assets.
Select asset groups: Defines access to the specific assets associated with the Asset Groups selected, and to view all their related cases, issues, and findings for these specific assets and Asset Groups. Under Select asset groups, define the specific asset groups that you want to grant access. Only Asset Groups relevant for scoping are listed, which are asset groups that are using only the asset attributes listed in Manage user scope (under Understand scoping → Scoping Areas → Assets).

The scoping of assets also affects the scoping of cases, issues, and findings.

Note

Visibility of Security domain Issues that refer to assets with agents is controlled by the Endpoints scoping configuration.

Cases and Issues

Set the Scope by selecting one of the following:

No cases and issues: Defines access to no cases and issues.
All cases and issues: Defines access to all cases and issues. Users can view cases or issues referencing assets within their scope. Use the Assets section to define which assets are in scope.
Select domains: Defines access to the domains selected to view their related cases and issues. Under Select domains, define the specific domains that you want to grant access.
Users can only view cases or issues referencing assets and endpoints within their scope. Use the Assets section to define which assets are in scope.

When selecting All cases and issues or Select domains, you can separately configure access to issues and cases that lack an asset reference or where the referenced asset is not in All Assets and All Endpoints inventories. To provide access, select the Allow access to cases and issues that are not referencing known assets or endpoints checkbox. Once selected, you can specifically control which users have access to issues and cases that lack Affected Assets (as seen in the issue’s panel) and Assets (as seen in the case's panel), or where the listed assets are not part of the Asset or Endpoint inventories. When the assets listed are not part of the inventories, the asset string is typically non-clickable. In some cases, such as for identity-related issues, assets may open a dedicated User Risk View, which differs from the standard inventories panels. In the Issues and Cases tables, such items can be identified by empty values in the following columns: Asset IDs, Target Agent Identifier, and Source Agent Identifier.

Endpoints

Set the Scope by selecting one of the following:

No endpoints: Defines access to no endpoints with no ability to view their related agent management and enterprise policies.
All endpoints: Defines access to all endpoints with the ability to view their related agent management and enterprise policies. This configuration can impact the visibility of related Security domain Cases and Issues, but will not affect asset visibility.
Select specific (at least one required): Defines specific access to all endpoint groups by selecting Endpoint Groups or all endpoint tags by selecting Endpoint Tags to view their related agent management and enterprise policies. This configuration can impact the visibility of related Security domain Cases and Issues, but will not affect asset visibility.

Important

By default, Enable Scope Based Access Control is disabled in Settings → Configurations → General → Server Settings, and granular scoping is not enforced. Before enabling SBAC, we recommend that an administrator or a user with Access Management permissions first ensures that the users, user groups, and API Keys defined in Cortex Cloud are granted the required access by assigning the relevant scopes. For more information, see Manage user scope.

Click Save.

Import multiple users

Use a CSV file to import users who belong to a Customer Support Portal account, and assign them roles that are defined in Cortex Cloud. You can use the CSV template provided in Cortex Cloud, or prepare a CSV file from scratch.

Select Settings → Configurations → Access Management → Users.
Click Import Multiple User Roles.
Do one of the following:
- To use the CSV template, click Download example file, and replace the example values with your values.
- Prepare a CSV file from scratch. Make sure the file includes these columns:
  - User email: Email address of the user belonging to a Customer Support Portal account, for example, john.smith1@exampleCompany.com.
  - Role name: Name of the role that you want to assign to this user, for example, Privileged Responder. The role must already exist in Cortex Cloud.
  - Is an account role: A boolean value that defines whether the user is designated with an Account Admin role in Cortex Gateway. Set the value to TRUE; otherwise, the value is set to FALSE (default).
Locate the file and drag it to the dialog box.
Click Import.

View user permissions

View all of the permissions currently assigned to a user.

Select Settings → Configurations → Access Management → Users.
Right-click the relevant user, and select Edit User Permissions.
Tip
To apply the same settings to multiple users, select them, and then right-click and select Edit User Permissions.
In the Role tab, under Show Accumulated Permissions, do one of the following:
- Select all to view the combined permissions for every role and user group assigned to the user.
- Select a specific role assigned to the user to view the available permissions for that role.
Under Components, expand each list to view the permissions to the various Cortex Cloud components.
Under Datasets, there are two possibilities for viewing a user's dataset access permissions:
- When dataset access management is enabled and the user has access to certain Cortex Query Language (XQL) datasets, the datasets are listed.
- When dataset access management is disabled and users have access to all XQL datasets, the text No dataset has been selected is displayed.
To view the granular scoping configurations granted to the user role, click the Scope tab, and under Scope Definition, expand the scoping areas to view the settings by clicking the chevron icon (>) beside the scoping area title. The scoping areas include Assets, Cases and Issues, and Endpoints.

Hide user

There might be instances where you want to hide a user from the list of users, for example, a user that has a Customer Support Portal Super User role but isn't active on your Cortex Cloud tenant. After you hide a user, they will no longer be displayed in the list of users when Show User Subset is selected on the Users page.

Select Settings → Configurations → Access Management → Users.
Right-click the relevant user, and select Hide User.

Add user to a user group

Select Settings → Configurations → Access Management → Users.
Right-click the relevant user, and select Edit User Permissions.
Tip
To apply the same settings to multiple users, select them, and then right-click and select Edit User Permissions.
Under User Groups, add the user to a group.
Click Save.

Deactivate user

You cannot deactivate a user who has an Account Admin role.

Select Settings → Configurations → Access Management → Users.
Right-click the relevant user, and select Deactivate User.
Click Deactivate.

Remove role assigned to user

You cannot remove a user who has an Account Admin role.

Select Settings → Configurations → Access Management → Users.
Right-click the relevant user, and select Remove User Role.
Click Remove.