Identity Security permissions - Configure permissions for Cloud Identity Security and the ITDR add-on. - Administrator Guide - Cortex XSIAM - Cortex

Identity Security permissions - Configure permissions for Cloud Identity Security and the ITDR add-on. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-16

Notice

Cloud Identity Security requires Cloud Posture Security, Cloud Runtime Security, or Cortex XSIAM Premium license.

ITDR requires a separate ITDR add-on.

Permission	Description	Roles Example
None	The user has zero visibility into the Identity Security. All related dashboard widgets are hidden.
View	Read-only access to all Identity Security features (subject to addon/license availability). Users can observe, investigate, and analyze identity data, but cannot make any changes.	SOC Tier-1 Analyst: View identity posture issues and ITDR issues during triage. SOC Tier-2 Analyst & Threat Hunter: Deep investigation access to identity issues and threats, but rule/policy changes should be escalated.
View/Edit	Complete control. Includes the ability to create, modify, and delete identity security configurations, detection rules, and conditional access policies.	SOC Tier-3 Analyst: May require access to manage conditional access policies and settings during advanced response Security Engineer: Build and tune identity detection rules and access policies.

To effectively secure identities and investigate complex identity-based threats, analysts and engineers require deep visibility into the underlying cloud configurations, automation responses, and compliance standards. Consider adding the following permissions:

Permission	Permission Level	Reason
Cases & Issues	View	Required. Needed to see the cases and issues generated by Identity Detection Rules.
Action Center	View/Edit	Strongly Recommended. Required to track and execute active response actions against compromised identities (e.g., disabling accounts or forcing MFA).
Query Center & Query Library	View or View/Edit	Strongly Recommended. Required to run and save XQL investigations on complex identity data.
Asset Inventory & Asset Groups	View	Strongly Recommended. Provides essential broader context for the affected identities and how they map to organizational assets.
Cloud Security & Compute Policies	View	Strongly Recommended. Dictates the overarching cloud posture and CWP policies governing the identities.
Credentials	View	Strongly Recommended. Needed to view the integrations and connections linking Cortex XSIAM to cloud and identity providers (such as AWS, Okta, or Microsoft Entra ID).
Playbooks & Scripts	View	Strongly Recommended. Heavily utilized for automated identity remediation, such as auto-disabling compromised accounts or alerting identity owners.
Reports & Compliance	View	Recommended. General Reports, Compliance Reports, and Catalog & Assessment Profiles often include identity posture data and frameworks requiring identity security controls.