Learn how to manage role permissions in Cortex XDR.
You can manage role permissions in Cortex XDR, which are listed by the various components according to the sidebar navigation in Cortex XDR. Dataset permissions are also included for custom roles. Some components include additional action permissions, such as pivot (right-click) options, to which you can also assign access to, but only when you’ve given the user View/Edit permissions to the applicable component. Whenever you create a new role or edit an existing role, these role permissions are configurable for all Cortex XDR apps and services in the Components tab of the Create Role window on the Roles page. For more information, see Manage user roles.
Note
Cortex XDR provides predefined Palo Alto Networks roles, which have set role permissions. For more information, see Default PANW roles.
The following table explains for each Cortex XDR component and additional action permissions, which are listed according to the sidebar navigation headings, the pages that can be accessed with this role permission with the detailed edit permissions available on each page, and any additional information you should know about the role permissions for this component.
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Dashboards | — |
| Dashboards & Reports → Customize → Widget Library is displayed when the user role permissions is set to at least one of the following:
|
Ingestion Monitoring | — | Dashboards & Reports → Dashboard → Data Ingestion Dashboard
| |
Reports | — |
| Customize → Widget Library is displayed when the user role permissions is set to at least one of the following:
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Alerts & Incidents | — |
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Query Center | — |
| Editing BIOC and Correlation Rules requires View/Edit permissions for both the Incident Response → Investigation → Query Center and Detections & Threat Intel → Detections → Rules (see below) |
Personal Query Library | — | Incident Response → Investigation → Query Builder → XQL Search to access your personal queries in the Query Library tab.
| |
Forensics | — | Incident Response → Investigation → Forensics, where all pages related to Forensics are accessible and all actions can be performed. | |
Host Insights | — |
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Action Center | ✓ | Incident Response → Response → Action Center | |
Isolate ✓ |
| ||
Terminate Process ✓ | Causality chain view is available from the Alerts table (Incident Response → Incidents → Alerts Table), or from the Query Results after running a query on the related data. From both of these places, you can pivot (right-click) to the causality chain view from any row in the table and select:
| ||
Quarantine ✓ | Causality chain view is available from the Alerts table (Incident Response → Incidents → Alerts Table), or from the Query Results after running a query on the related data. From both of these places, you can pivot (right-click) to the causality chain view from any row in the table and select:
| ||
File Retrieval ✓ |
| ||
File Search ✓ | Incident Response → Incidents → Key Assets & Artifacts tab, and search for a file. | ||
Destroy Files ✓ | Incident Response → Response → Action Center → All Actions → New Action and from the Define an Action page, select Destroy file.
| ||
Allow List/Block List ✓ |
| ||
Disable Response Actions ✓ | Endpoints → All Endpoints, and pivot (right-click) an endpoint that isn't an iOS endpoint, and select Endpoint Control → Disable Capabilities. | ||
Remediation ✓ | |||
Delete Quarantined Files | Incident Response → Response → Action Center → Currently Applied Actions → File Quarantine
| ||
EDL | — | Incident Response → Response → EDL
| |
Agent Scripts Library | ✓ | Incident Response → Response → Action Center → Agent Script Library | |
Run Standard Script ✓ |
| ||
Run High-Risk Script ✓ | Incident Response → Response → Action Center → Agent Script Library, and any script from the Scripts Library table, where the Outcome column is set to High Risk, you can select:
| ||
Script Configurations ✓ | Incident Response → Response → Action Center → Agent Script Library
| ||
Live Terminal | — |
| |
Automation Rules | — | Incident Response → Response → Automation → Automation Rules
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Rules | ✓ |
| Editing BIOC and Correlation Rules requires View/Edit permissions for both the Incident Response → Investigation → Query Center (see above) and Detections & Threat Intel → Detections → Rules |
Prevention Rules ✓ |
| ||
Request WildFire Verdict Change ✓ | From a WildFire report, you can click Report Verdict as Incorrect, and under Suggested Verdict, suggest a new verdict. Open a WildFire report from:
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Network Configuration | — |
| |
Compliance | — |
| |
Asset Inventory | — |
| |
Asset Roles Configuration | — | Assets → Asset Roles Configuration |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Endpoint Administrations | ✓ | Endpoints → All Endpoints
| |
Endpoint Management ✓ | Endpoints → All Endpoints Locate one or more endpoints, right-click and select:
| ||
Retrieve Endpoint Data ✓ |
| ||
Endpoint Scan ✓ | Endpoints → All Endpoints Locate one or more endpoints, right-click and select:
| ||
Change Managing Server ✓ | Endpoints → All Endpoints
| ||
Pause Protection ✓ | Endpoints → All Endpoints
| ||
Endpoint Token Management ✓ | Endpoints → All Endpoints On the top right corner of the screen, the Tokens and Passwords icon is displayed, which you can left-click and select:
| ||
Endpoint Groups | — | Endpoints → Endpoint Groups
| |
Endpoint Prevention Policies | — | Endpoints → Policy Management → Prevention → Policy Rules
| |
Global Exceptions | — | Endpoints → Policy Management → Prevention → Global Exceptions
| |
Endpoint Profiles | — | Endpoints → Policy Management → Extensions → Profiles
| |
Endpoint Extension Policies | — | Endpoints → Policy Management → Extensions
| |
Endpoint Installations | — | Endpoints → Agent Installations
| |
Host Firewall | — |
| Users can still view Extensions profiles when the type is set to host firewall. |
Device Control | ✓ | ||
Device Control Rules ✓ | Endpoints → Device Control Violations
| ||
Device Control Exceptions ✓ | Endpoints → Disk Encryption Visibility |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Auditing | — |
| XDR Collector Audit Logs requires a Cortex XDR Pro per GB license. |
Alert Notification | — | Notifications | |
General Configuration | — | Settings → Configurations → General → Server Settings
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
On-demand Analytics | — | Settings → Configurations → Cortex XDR - Analytics
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Broker Service | ✓ | Settings → Configurations → Data Broker → Broker VMs
| |
Pathfinder Applet ✓ | Settings → Configurations → Data Broker → Broker VMs, and in the APPS column of the Broker VMs page, the Pathfinder applet is displayed.
| ||
Pathfinder Data Collection | — | Settings → Configurations → Data Collection → Pathfinder Collection Center
| To use the Pathfinder Collection Center page, you need to have View/Edit permission for the Broker Service and the Pathfinder Applet (see permissions above). |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Log Collections | — |
| Ingestion of logs and data requires a Cortex XDR Pro per GB license |
External Alerts Mapping | — | Settings → Configurations → Data Collection → External Alert Mapping
|
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Data Management | — |
| To set permissions for Compute Unit Usage, use Integrations → Public API (see table below). |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Public API | — |
| |
Threat Intelligence | — | Settings → Configurations → Integrations → Threat intelligence
| |
Long Running HTTP Integrations configuration | — |
Components | Additional Action Permissions with View/Edit Permissions | Access Permissions to these Pages with Detailed View/Edit Permissions | Additional Information |
---|---|---|---|
Support | — | Help → Submit a Support Caser |