Assign user roles and groups - Learn how to assign users to roles and user groups. - Administrator Guide - Cortex XDR - Cortex

Assign user roles and groups - Learn how to assign users to roles and user groups. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-11-14

Note

If an existing user in the Cortex Gateway no longer has a role or a user group assigned, the user is revoked. Any roles, user groups, or egress configurations created by that user are shown as created by Revoked user instead of the user’s email address.

Role-based access control (RBAC) enables you to use predefined Palo Alto Networks roles to assign access rights to Cortex XDR users. You can manage roles for all Cortex XDR tenants and services in the Gateway or in the Cortex XDR tenant. By assigning roles, you enforce the separation of access among functional or regional areas of your organization.

Each role extends specific privileges to users. The way you configure administrative access depends on the security requirements of your organization. Use roles to assign specific access privileges to administrative user accounts.

You can manage role permissions in Cortex XDR , which are listed by the various components according to the sidebar navigation in Cortex XDR. Some components include additional action permissions, such as pivot (right-click) options, to which you can also assign access, but only when you’ve given the user View/Edit permissions to the applicable component.

The default Palo Alto Networks roles provide a specific set of access rights to each role. You cannot edit the default roles directly, but you can save them as new roles and edit the permissions of the new roles. To view the predefined permissions for each default role, go to Settings → Configurations → Access Management → Roles.

Note

Some features are license-dependent. Accordingly, users may not see a specific feature if the feature is not supported by the license type or if they do not have access based on their assigned role.

Default Role	Description
Account Admin	A Super User role that is assigned directly to the user in Cortex Gateway and has full access to all Cortex products in your account, including all tenants added in the future. The Account Admin can assign roles for Cortex instances and activate Cortex tenants specific to the product. Note The user who activated the Cortex product is assigned the Account Admin role. You cannot create additional Account Admin roles in the Cortex XDR tenant. If you do not want the user to have Account Admin permission, you need to remove the Account Admin role in Cortex Gateway.
Instance Administrator	View and edit permissions for all components and access all pages in the Cortex XDR tenant. The Instance Administrator can also make other users an Instance Administrator for the tenant. If the tenant has predefined or custom roles, the Instance Administrator can assign those roles to other users.
Deployment Admin	Manage and control endpoints and installations, and configure Broker VMs.
Investigator	View and triage alerts and incidents.
Investigation Admin	View and triage alerts and incidents, configure rules, view endpoint profiles and policies, and analytics management screens.
Responder	View and triage alerts, and access all response capabilities excluding Live Terminal.
Privileged Investigator	View and triage alerts, incidents, and rules, view endpoint profiles and policies, and analytics management screens.
Privileged Responder	View and triage alerts and incidents, access all response capabilities, and configure rules, policies, and profiles.
IT Admin	Manage and control endpoints and installations, configure Broker VMs, view endpoint profiles and policies, and view alerts.
Privileged IT Admin	Manage and control endpoints and installations, configure Broker VMs, create profiles and policies, view alerts, and initiate Live Terminal.
Privileged Security Admin	Triage and investigate alerts and incidents, and respond to and edit profiles and policies.
Viewer	View the majority of the features for this instance and can edit reports.
Scoped Endpoint Admin	Can only access product areas that support endpoint scoped-based access control (SBAC) - Endpoint Administration, Action Center, Response, Dashboards and Reports.
Security Admin	Can triage and investigate alerts and incidents, respond (excluding Live Terminal), and edit profiles and policies.

Cortex XDR provides predefined built-in user roles that provide specific access rights that cannot be modified. You can also create custom, editable user roles. If a user does not have any Cortex XDR access permissions that are assigned specifically to them, the field displays No-Role.

Select Settings → Configurations → Access Management → Users.
Right-click the relevant user, and select Edit User Permissions.
Tip
To apply the same settings to multiple users, select them, and then right-click and select Edit Users Permissions.
Under Role, select the default or custom role.
(Optional) Under User Groups, add the user to a group.
(Optional) Under Show Accumulated Permissions:
1. Do one of the following:
  - Select all to view the combined permissions for every role and user group assigned to the user.
  - Select a specific role assigned to the user to view the available permissions for that role.
2. Under Components, expand each list to view the permissions.
Important
Setting Cortex Query Language (XQL) dataset access permissions for a user role can only be performed from Cortex XDR Access Management. For more information, see Manage user roles.
(Optional) If Scope-Based Access Control is enabled for the tenant, click Scope and select a tag family and the corresponding tags.
Guidelines for selecting tags
Keep in mind the following:
Roles defined as administrator or a part of the admin group can't be scoped.
If you select a tag family without specific tags, permissions apply to all tags in the family.
The scope is based only on the selected tag families. If you scope only based on tags from Family A, then Family B is disregarded in scope calculations and is considered as allowed.
You can also set user access permissions for the various Cortex Query Language (XQL) datasets.
Click Save.

Users are assigned roles and permissions either by being assigned a role directly or by being assigned membership in one or more user groups. A user group can only be assigned to a single role, but users can be added to multiple groups if they require multiple roles. You can also nest groups to achieve the same effect. Users who have multiple roles through either method will receive the highest level of access based on the combination of their roles.

Example 2.

Jane has an analyst role and is a member of the Tier-1 Analyst user group, which is assigned the Triage role. Jane has the permissions of an analyst and the Triage role. Jane is assigned 2 roles, and has the highest permission based on the combination of both roles.
John is a member of two user groups - Tier-1 Analyst and Tier-2 Analyst. Each group is configured to use a different role - Triage role and Incident Response role. John is assigned both roles and has the highest permissions based on the combination of all roles.
Jack is a member of the Tier-2 user group which has an Incident response role. This user group is included in a Tier-3 user group (Threat Hunter role), added as a nested group. Jack is assigned both roles and has the highest permissions based on the combination of all roles.

On the User Groups page, you can create a new user group for several different system users or groups. You can see the details of all user groups, the roles, nested groups, IdP groups (SAML) when the group was created/updated, etc.

You can also right-click in the table to perform actions such as edit, save as a new group, remove (delete) a group, and copy text to the clipboard.

Note

You can create user groups in the tenant or Cortex Gateway. If created in Cortex Gateway, they cannot be mapped to SAML groups. Only groups that are created in the tenant support SAML group mapping. We recommend creating user groups in the Cortex XDR tenant because user groups are available for all tenants and you may want different user groups in different tenants, such as dev/prod.

Go to Settings → Configurations → Access Management → User Groups.
If creating in Cortex Gateway, go to Permission Management → User Groups.

To create a new user group for several different system users or groups, click New Group, and add the following:

Field	Description
Name	Name of the user group.
Description	Description of the user group.
Group for product	(Cortex Gateway only) If you have other products, select the relevant Cortex product.
Role	Select the group role associated with this user group. You can only have a single role designated per group. In Cortex Gateway, you can only select either Instance Administrator or a custom role created in the Gateway.
Users	Select the users you want to belong to this user group.
Nested Groups	Lists any nested groups associated with this user group. If you have an existing group you can add a nested group. User groups can include multiple users and nested groups, which inherit the permissions of parent user groups. The user group will have the highest level of permission. For example: Group A has Tier-1 Analyst permissions Group B has Tier-2 Analyst permissions If you add Group A as a nested group in Group B, Group A inherits Group B's permissions (Tier-1 and Tier-2 permissions). In Cortex Gateway, you can only add user groups that are created in Cortex Gateway.
SAML Group Mapping	(Relevant when creating a user group in the Cortex XDR tenant only). When SSO is enabled you can see your organization's Identity Provider (IdP groups), which are automatically mapped to the user group. Note When using Azure AD for SSO, the SAML group mapping needs to be provided using the group object ID (GUID) and not the group name.

Click Create to create a new user group and assign the relevant users to the group.

Perform additional tasks

For more information about additional tasks such as creating a custom role, modifying a user's role, or removing a user's role, see Manage user access or Cortex Gateway Administrator Guide.

Important

Note

Note

Note

Tip

Important

Note

Note

Perform additional tasks