Manage User Scope - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Cortex XSIAM supports the scoping of users to particular endpoint groups.

With Scope-Based Access Control (SBAC), Cortex XSIAM enables you to assign users to specific tags of different types in your organization. By default, all users have management access to all tags in the tenant. However, after you (as an administrator) assign a management scope to a Cortex XSIAM user (non-administrator), the user is then able to manage only the specific tags and its associated entities that are predefined within that scope. To enable SBAC per server, refer to Define Scoped Server Access in Set up Your Environment.

The permissions in user or group settings define which entity the user can access, and the scope defines what the user can view within the entity.

SBAC applies only to the following functional areas in Cortex XSIAM.

  • Endpoint Administration table—View endpoints and take actions on endpoints.

  • Policy Management—Create and edit Prevention policies and profiles, Extension policies and profiles, and global and device Exceptions that are within the scope of the user.

  • Action Center—View and take actions only on endpoints that are within the scope of the user.

  • Dashboards and Reports—Scoping takes place only on agent-related widgets.

  • Incidents and Alerts—View and manage incidents and alerts filtered according to the scope of the user or group.


Important: The rest of the functional areas and their permissions in Cortex XSIAM do not support SBAC. Accordingly, if these permissions are granted to a scoped user, the user will be able to access all endpoints in the tenant within this functional area. For example, a scoped user with permission to view incidents can view all incidents in the system without limitation to a scope, however, will not be able to create an alert or device exception.

Also, note that the Agent Installation widget is not available for scoped users.


Once a scope is set by an endpoint group, the user cannot edit the user group, because it will affect the user's own scope.

To define the scope of a user.

  1. Select SettingsConfigurationsAccess ManagementUsers.

    The currently assigned scope of each user is displayed in the Scope column of the Users table.

  2. Right-click the user name and select Update User.

  3. In the Scope tab, select one or all of the following for Tag Family. The user's permissions are based on the tags assigned to them.

    • Select All

    • Endpoint Groups—User is scoped according to Endpoint Groups. The tag selected refers to the specific endpoint group.

    • Endpoint Tags—User is scoped according to Endpoint Tags. The tag selected refers to the specific endpoint tag.

  4. If you selected a Tag Family option, from the Tags field, select the relevant tags associated with the family.


    • If you select a tag family without specific tags, permissions apply to all tags in the family.

    • The scope is based only on the selected Tag Families. If you scope only based on tags from Family A, then Family B is disregarded in scope calculations and considered as allowed.

  5. Click Save.

The users to whom you have scoped particular endpoints are now able to use Cortex XDR only within the scope of their assigned endpoints.


Make sure to assign the required default permissions for scoped users. This depends on the structure and divisions within your organization and the particular purpose of each organizational unit to which scoped users belong.