Learn more about managing roles and permissions for tenants using the Permission Management console.
You can manage roles and permissions for a single tenant or a number of tenants at the same time using the Cortex XDR Permission Management console, which is accessible via the Cortex Gateway. The Permission Management console is used for first-time activations. To create and assign roles, you must first activate your Cortex XDR tenant and be assigned an Account Admin role in the Gateway.
The Permission Management console is divided into two subcategories, Permissions and Roles, which you can view on separate pages.
In the Permissions page, Cortex XDR lists all the users allocated to a specific Customer Support Portal (CSP) account and tenant name. If a user is not listed, ensure that the user is added to the Customer Support Portal. The Permissions table provides different fields of information as detailed below. You can select whether to Show User Subset to display only the users who are not designated as Hidden users (default). For example, this is useful when you have users, who are not related to Cortex XDR and will not be designated with a Cortex XDR role, such as CSP Super Users, and you want to hide them from the list. You can also select whether to View By Users (default) or Tenants.
Note
Groups and Group Roles can only be configured in Cortex XDR in the → → → page. For more information, see the Manage User Groups section.
Note
Once a scope is set by an endpoint group, the user cannot edit the user group, because it will affect the user's own scope.
User Name—Displays the first and last name of the user and whether the user is a CSP Super User and Account Admin. If the user is allocated to more than one tenant, expand the user name to display the details for each tenant.
Email—Email address of the user.
Tenant—Name of the tenant the user has permission to access. Next to the user name, expand () to view the tenant name.
User Type—Indicates whether the user was defined in Cortex XDR using the CSP (Customer Support Portal), SSO (single sign-on) using your organization’s IdP, or both CSP/SSO.
Direct XDR Role—Name of the role assigned specifically to the user that is not inherited from somewhere else, such as a User Group. Next to the user name, expand () to view the role assigned per tenant, if the user does not have any Cortex XDR access permissions that are assigned specifically to them, the field displays No-Role.
Groups—Lists the groups that a user belongs to, where any group imported from Active Directory has the letters AD added beside the group name.
Group Roles—Lists the different group roles based on the groups the user belongs to. When you hover over the group role, the group associated with this role is displayed.
Last Login Time—Last date and time the user accessed the tenant.
Status—Displays whether the user is Active or Inactive.
In the Roles page, Cortex XDR lists the pre-defined user roles and custom-defined roles. Use roles to assign specific view and action access privileges to administrative user accounts. The way you configure administrative access depends on the security requirements of your organization. The built-in roles provide specific access rights that cannot be changed. The roles you create provide more granular access control.
The Roles table provides the following fields of information.
Role Name—Name of the role.
Created By—Displays one of the following options depending on whether the role is a custom role created by a user or a predefined role.
Palo Alto Networks—Predefined role granting user permissions in all tenants.
<
user email address
> —A custom role created in the Gateway granting user permission in all tenants.<
user email address
> —A custom role created in the Cortex XDR app granting user permission for that specific tenant alone.
Tenant—Name of the tenant the role applies to according to where the role was created; Gateway or Cortex XDR app.
Description—Description of the role.
Creation Time—Date and time when the role was created. The field is available for only a custom role.
Modification Time—Date and time of when the role was last updated. The field is available for only a custom role.
Select
→ → .Manage your Cortex XDR roles and permissions.
If you are managing more than one CSP account, select the account you want to display the available roles. If you only manage one CSP account, Cortex XDR only displays the roles available on your tenant.
In the Roles table, the following options are available to help you manage roles.
Create a custom role based on the Cortex XDR predefined roles.
Locate the predefined role that you want to base your custom role on, right-click and select Save As New Role.
In the Create Role window, specify a Role Name and update the Description.
Update the Views and Actions permissions you want the role to include and Create the role.
Create and save new roles based on the granular permission.
Select New Role.
In the Create Role window, specify a Role Name and Description.
Select the Views and Actions permissions you want the role to include and Create the role.
Edit role permissions (only available for roles you create).
Locate the custom role you want to edit, right-click and select Edit Role.
In the Edit Role window, update the Views and Actions permissions you want the role to include and Edit the role.
Assign roles to a Cortex XDR user.
In the Permissions page, select the Account Name. The following options are available to help you manage permissions. You can assign roles to one or more users at a time.
Assign permissions to a user that does not have a role.
Hover over the user name and select , located to the right of the row, to Add Permissions.
In the Add Permissions window, select from the list of Available Tenants for which you want to grant permissions.
Select a role from either the Default Roles or Custom Roles you want to assign the user and Add the role to the user.
Update permission for users with an existing role.
Hover over the user name and select , located to the right of the row to Update Permissions.
In the Update Permissions window, select a role from either the Default Roles or Custom Roles you want to assign the user and Update the role.
Note
Allow up to ten minutes for the new role to be updated in the system.
Deactivate a user.
Locate the user you want to deactivate, right-click, and select Deactivate User.
Note
You cannot deactivate a user that has an Account Admin role.
Designate a user as hidden.
Locate the user you want to hide, right-click, and select Hide User. When a user is designated as hidden, the user will no longer be displayed in the Permissions table when the table is configured to Show User Subset (default configuration).
Manage User Scope
Assign users to specific endpoint groups in your organization.