Manage Users - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about managing users in the Access Management console.

In the Users page, Cortex XDR lists all the users allocated to a specific Customer Support Portal (CSP) account and tenant. If a user is not listed, ensure that the user is added to the Customer Support Portal. The Users table provides different fields of information as detailed below. At the top of the page, you can perform the following actions.

  • Import Multiple User Roles as a CSV (Comma-separated values) file. This import can be used to quickly add users who already belong to a CSP account and assign them preexisting roles in Cortex XDR . You can use the Download example file to view the required format of the CSV file to upload and replace the file contents with the data you want to upload, where the following columns must be included.

    • User email—The email address of the user belonging to a CSP account that you want to import.

    • Role Name—The name of the role that you want to assign to this user, where the role must already be created in Cortex XDR.

    • Is an account role (default=false)—A boolean value to define whether the user is designated with an Account Admin role in the Cortex Gateway. To define this in the CSV file, set the value to TRUE; otherwise, the value is set to FALSE (default).

  • Show User Subset to display only the users who are not designated as Hidden users (default).

  • Search for something in the search box.

The following is a description of the different columns in the Users table.


Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.

  • User Name*—Displays the first and last name of the user.

  • Email*—Email address of the user.

  • User Type*—Indicates whether the user was defined in Cortex XDR using the CSP (Customer Support Portal), SSO (single sign-on) using your organization’s IdP, or both CSP/SSO.

  • Direct XDR Role*—Name of the role assigned specifically to the user that is not inherited from somewhere else, such as a User Group. When the user does not have any Cortex XDR access permissions that are assigned specifically to them, the field displays No-Role.

  • Groups*—Lists the groups that a user belongs to, where any group imported from Active Directory has the letters AD added beside the group name.


    If a user group has scoping permissions, the users in the group are granted permissions according to the user group settings, even if the user does not have configured scope settings.

    If a user is assigned to multiple user groups, which are mapped to different roles, or if the user is assigned to nested user groups, the user has the highest level of privileges based on the combination of roles.

  • Group Roles*—Lists the different group roles based on the groups the user belongs to. When you hover over the group role, the group associated with this role is displayed.

  • Scope—Lists the scope assigned to the user either directly or through a group based on tags. The family includes the tag types and the related tags of the selected family.


    Only visible if the Scope Based Access Control feature is enabled for the tenant.

  • Last Login Time*—Last date and time the user accessed the tenant.

  • Status*—Displays whether the user is Active or Inactive.

  • First Name—Displays the first name of the user.

  • Last Name—Displays the last name of the user.

You can also pivot (right-click) from rows and specific values in the table, where a number of different options are available to help you manage your Cortex XDR users from this page. You can perform these actions on one or more users at a time.

  1. Select SettingsConfigurationsAccess ManagementUsers.

    In the Users page, a number of different options are available to help you manage users.

  2. Manage your Cortex XDR users.

    The following options are available to help you manage users, which you can perform on one or more users at a time.

    • Update a user role for users with an existing role.

      1. You can either hover over the user name and select the Update User Role icon (access-management-update-user-role.png), located to the right of the row or right-click the user name and select Update User Role. You can also select more than one user to set and manage a role for all these system users belonging to the same group at once.

      2. Select a Role from the list of default and custom roles that you want to assign the user.


        You can only reduce the permissions of an Account Admin user via the Cortex Gateway.

      3. Add a particular user to a group by selecting the User Groups from the list.

      4. Show Accumulated Permissions for the user(s) based on the Role and User Groups assigned to the user(s). Role permissions are comprised of different Components permissions. By default, All permissions are displayed, which lists the combined permissions of every Role and User Group assigned to the user. You can also select the specific roles assigned to the user, which enables you to compare available permissions based on the roles selected. This can help you understand how the role permissions for a particular user are built. For example, if you need to isolate a specific component, the permissions are provided by a particular Role or User Group.

      5. Scope tab enables you to select the Tag Family and it's corresponding Tags. The user's permissions are based on the tags assigned to them.


        • Only visible if the Scope Based Access Control feature is enabled for the tenant.

        • Roles defined as administrator or a part of the admin group, can't be scoped.

        • If you select a tag family without specific tags, permissions apply to all tags in the family.

        • The scope is based only on the selected Tag Families. If you scope only based on tags from Family A, then Family B is disregarded in scope calculations and considered as allowed.

      6. Update User Role to save your changes to the user role.

    • Deactivate a user.

      Locate the user you want to deactivate, right-click, and select Deactivate User.


      You cannot deactivate a user that has an Account Admin role.

      When a user is deactivated, API keys that the user created are not revoked.

    • Remove a role assigned to a user.

      When you remove a role, the role associated with the API keys is deleted.

      • If more than one role was associated with the API key, a yellow warning symbol appears next to the API key in the API key table. When you hover over the symbol, a message indicates that some of the roles associated with the API key had been deleted.

      • If all roles associated with the API key are removed, a red warning symbol appears appears next to the API key in the API key table. When you hover over that symbol, a message indicates that the key is no longer usable because it does not have a role associated with it. The API key is still visible in the API table but it cannot be assigned.

      1. Locate the user you want to remove the role from, right-click, and select Remove User Role.

      2. Click Remove.


        You cannot remove a user that has an Account Admin role.

    • Designate a user as hidden.

      Locate the user you want to hide, right-click, and select Hide User. When a user is designated as hidden, the user will no longer be displayed in the Users table when the table is configured to Show User Subset (default configuration). This is useful, for example, when you have users, who are not related to Cortex XDR and will not be designated with a Cortex XDR role, such as CSP Super Users, and you want to hide them from the list.

    • If enabled, delete a Single Sign-on (SSO) user.

      1. Locate the SSO user you want to delete, right-click, and select Delete SSO User.

      2. Click Delete.

    • Copy text to clipboard to copy text from a specific row field in the row of a user.

    • Copy entire row to copy the text from all the fields in a row of a user.