Manage user access - Manage access permissions for Cortex XSIAM users. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Select Settings → Configurations → Access Management → Users.

Right-click the relevant user, and select Edit User Permissions.

In the Role tab, under Role, select the default or custom role.

(Optional) Under User Groups, add the user to a group.

(Optional) Under Show Accumulated Permissions:

1. Do one of the following:

   • Select all to view the combined permissions for every role and user group assigned to the user.

   • Select a specific role assigned to the user to view the available permissions for that role.

2. Under Components, expand each list to view the permissions to the various Cortex XSIAM components.

3. Under Datasets, there are two possibilities for viewing a user's dataset access permissions:

   • When dataset access management is enabled and the user has access to certain Cortex Query Language (XQL) datasets, the datasets are listed.

   • When dataset access management is disabled and users have access to all XQL datasets, the text No dataset has been selected is displayed.

(Optional) You can configure granular scoping:

1. Click the Scope tab.

2. Under Scope Definition, expand the scoping areas that you want to grant the user role access to in the tenant by clicking the chevron icon (>) beside the scoping area title, and make any changes required. The following table explains the options available to configure:

   Important

   Before configuring, ensure that you review Understand scoping in the Manage user scope section.

   Scoping Area	Granular Scoping Configurations
   Assets	Set the Scope by selecting one of the following: No assets: No asset is accessible. All assets: Defines access to all assets. Select asset groups: Defines access to the specific assets associated with the Asset Groups selected, and to view all their related cases, issues, and findings for these specific assets and Asset Groups. Under Select asset groups, define the specific asset groups that you want to grant access. Only Asset Groups relevant for scoping are listed, which are asset groups that are using only the asset attributes listed in Manage user scope (under Understand scoping → Scoping Areas → Assets). The scoping of assets also affects the scoping of cases, issues, and findings. Note Visibility of Security domain Issues that refer to assets with agents is controlled by the Endpoints scoping configuration.
   Cases and Issues	Set the Scope by selecting one of the following: No cases and issues: Defines access to no cases and issues. All cases and issues: Defines access to all cases and issues. Users can view cases or issues referencing assets within their scope. Use the Assets section to define which assets are in scope. Select domains: Defines access to the domains selected to view their related cases and issues. Under Select domains, define the specific domains that you want to grant access. Users can only view cases or issues referencing assets and endpoints within their scope. Use the Assets section to define which assets are in scope. When selecting All cases and issues or Select domains, you can separately configure access to issues and cases that lack an asset reference or where the referenced asset is not in All Assets and All Endpoints inventories. To provide access, select the Allow access to cases and issues that are not referencing known assets or endpoints checkbox. Once selected, you can specifically control which users have access to issues and cases that lack Affected Assets (as seen in the issue’s panel) and Assets (as seen in the case's panel), or where the listed assets are not part of the Asset or Endpoint inventories. When the assets listed are not part of the inventories, the asset string is typically non-clickable. In some cases, such as for identity-related issues, assets may open a dedicated User Risk View, which differs from the standard inventories panels. In the Issues and Cases tables, such items can be identified by empty values in the following columns: Asset IDs, Target Agent Identifier, and Source Agent Identifier.
   Endpoints	Set the Scope by selecting one of the following: No endpoints: Defines access to no endpoints with no ability to view their related agent management and enterprise policies. All endpoints: Defines access to all endpoints with the ability to view their related agent management and enterprise policies. This configuration can impact the visibility of related Security domain Cases and Issues, but will not affect asset visibility. Select specific (at least one required): Defines specific access to all endpoint groups by selecting Endpoint Groups or all endpoint tags by selecting Endpoint Tags to view their related agent management and enterprise policies. This configuration can impact the visibility of related Security domain Cases and Issues, but will not affect asset visibility.
   Datasets Rows	Configure a filter to define the specific subset of rows a user is allowed to access in each raw dataset. A raw dataset is every dataset where Palo Alto Networks data is ingested out-of-the-box or third-party data is ingested using a configured dedicated collector, also called a data source. This filter configuration does not impact the visibility of cases and issues. Follow these steps to configure a filter: For datasets where no filter is defined, determine how to set the When no filter is defined option as either: No rows are accessible (default): Without a configured filter, no rows are accessible. Users can query the datasets in Cortex Query Language (XQL) as they have access, but the results will be empty. All rows are accessible: Without a configured filter, all rows are accessible. Users can query the datasets in Cortex Query Language (XQL) as they have access, and view all results. Note When defining a filter for row-level scoping on raw datasets, queries based on the Cortex Data Model (XDM) are not supported. XDM queries return specific rows only when All rows are accessible is selected and no filter is defined in the Datasets Rows scoping area. Otherwise, no rows are returned. Define any filters for the applicable datasets listed in the table: Scroll down the list of datasets to the dataset you want to apply a filter on, and click the Edit Scope icon. In the Define what rows are accessible window, continue to write the query for the filter in the query box (where the syntax is a limited subset of XQL) to limit the data rows for the selected dataset according to the access permissions you want the user to have. The beginning of the query is already defined before the query box, and there is no need to include this in your query. Important For optimal performance, we recommend using a single field in the filter definition and simple comparison operators. Supported syntax Fields You can define the rest of the filter in the query box, where only the following system fields are supported: _broker_device_id, _broker_device_ip, _broker_device_name, _collector_id, _collector_ip, _collector_name, _collector_type, _device_id, _final_reporting_device_ip, _final_reporting_device_name, _log_type, _product, _scope, _reporting_device_ip, _reporting_device_name, and _vendor. For more information on these fields, see the table that describes all the fields in the metrics_source dataset and metrics_view preset in Overview of data ingestion metrics. For more information on the _scope field (relevant when _scope is defined in the Parsing Rule), see [Scenario 3: Supported fields don't provide the necessary segmentation] in Scenarios related to Datasets Rows scoping.Manage user scope Comparison operators The following comparison operators are supported: Exact matches (=, !=) Comparing numerical values (>, <, >=, <=) Checking membership in lists (in) Querying arrays (array_contains) Partial matches (contains, starts_with): Using this operator has additional performance overhead, and we recommend avoiding its use. Example 12.  If you only want a user to be able to access rows in the pan_dds_raw dataset, when the _collector_name is bu2_collector , you'd have to define the filter in the query box as: _collector_name = “bu2_collector” (Optional) Set the Time frame for the query. The default is Last 1 day. (Optional) You can preview the query results displayed based on your defined query by clicking Preview. You can edit your query until you're satisfied with the output. By default, the query results are limited to 1000 records. When you are finished, click Done. The Scope field for the dataset that you added the filter on is updated with the query. Example 13.  In the above example, the Scope field displays _collector_name = “bu2_collector”.

Click Save.

Select Settings → Configurations → Access Management → Users.

Click Import Multiple User Roles.

Do one of the following:

Locate the file and drag it to the dialog box.

Click Import.

Select Settings → Configurations → Access Management → Users.

Right-click the relevant user, and select Edit User Permissions.

In the Role tab, under Show Accumulated Permissions, do one of the following:

Under Components, expand each list to view the permissions to the various Cortex XSIAM components.

Under Datasets, there are two possibilities for viewing a user's dataset access permissions:

To view the granular scoping configurations granted to the user role, click the Scope tab, and under Scope Definition, expand the scoping areas to view the settings by clicking the chevron icon (>) beside the scoping area title. The scoping areas include Assets, Cases and Issues, Endpoints, and Datasets Rows.

Select Settings → Configurations → Access Management → Users.

Right-click the relevant user, and select Hide User.

Select Settings → Configurations → Access Management → Users.

Right-click the relevant user, and select Edit User Permissions.

Under User Groups, add the user to a group.

Click Save.

Select Settings → Configurations → Access Management → Users.

Right-click the relevant user, and select Deactivate User.

Click Deactivate.

Select Settings → Configurations → Access Management → Users.

Right-click the relevant user, and select Remove User Role.

Click Remove.