Learn more about predefined roles to easily assign user access to Cortex XDR views and actions.
Role-based access control (RBAC) enables you to use predefined Palo Alto Networks roles to assign access rights to Cortex XDR users. You can manage roles for all Cortex XDR apps and services in the Gateway and Cortex XDR management console. By assigning roles, you enforce the separation of access among functional or regional areas of your organization.
Each role extends specific privileges to users. The way you configure administrative access depends on the security requirements of your organization. Use roles to assign specific access privileges to administrative user accounts.
You can manage role permissions in Cortex XDR , which are listed by the various components according to the sidebar navigation in Cortex XDR. Some components include additional action permissions, such as pivot (right-click) options, to which you can also assign access, but only when you’ve given the user View/Edit permissions to the applicable component.
The default Palo Alto Networks roles provide a specific set of access rights to each role. You cannot edit the default roles directly, but you can save them as new roles and edit the permissions of the new roles. To view the predefined permissions for each default role, go to→ → → .
Some features are license-dependent. Accordingly, users may not see a specific feature if the feature is not supported by the license type or if they do not have access based on their assigned role.
The Account Admin has full access to the given app(s), including all instances added to the app(s) in the future. The account admin can assign roles for app instances, and can also activate app instances specific to the app.
A Instance Administrator has full access to the app instance for which this role is assigned. The Instance Administrator can also make other users an Instance Administrator for the app instance. If the app has predefined or custom roles, the Instance Administrator can assign those roles to other users.
A Deployment Admin can manage and control endpoints and installations, and configure Broker VMs.
An Investigator can view and triage alerts and incidents.
An Investigation Admin can view and triage alerts and incidents, configure rules, view endpoint profiles and policies, and analytics management screens.
A Responder can view and triage alerts, and access all response capabilities excluding Live Terminal.
A Privileged Investigator can view and triage alerts, incidents, and rules, view endpoint profiles and policies, and analytics management screens.
A Privileged Responder can view and triage alerts and incidents, access all response capabilities, and configure rules, policies, and profiles.
An IT Admin can manage and control endpoints and installations, configure Broker VMs, view endpoint profiles and policies, and view alerts.
Privileged IT Admin
A Privileged IT Admin can manage and control endpoints and installations, configure Broker VMs, create profiles and policies, view alerts, and initiate Live Terminal.
Privileged Security Admin
A Privileged Security Admin can triage and investigate alerts and incidents, and respond to and edit profiles and policies.
The Viewer can view the majority of the features for this instance and can edit reports.
Scoped Endpoint Admin
The Scoped Endpoint Admin has access only to product areas that support endpoint scoped based access control (SBAC) - Endpoint Administration, Action Center, Response, Dashboards and Reports.
The Security Admin can triage and investigate alerts and incidents, respond (excluding Live Terminal), and edit profiles and policies.