User permissions - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

You can assign users to the investigation for them to view and manage the investigation.

User Permissions enable users to view and manage investigations according to their access permissions.

The Permissions table appears only when Scope-Based Access Control (SBAC) is enabled. Go to Server SettingsScoped Server Access to enable investigation permissions.

Users with account administrator or instance administrator roles have access to investigations and can't be cleared from the Permissions table. They can view and edit all Investigations, including adding/removing users, creating/deleting collections, closing the Investigation. This prevents investigation lockout in the event of a user leaving before the Investigation is complete.

When SBAC is enabled, you can limit access to selected users with other assigned roles, and assign them permissions to the investigation.

If SBAC is disabled, the permissions is limited to role-based access (RBAC), so anyone with forensic investigator or forensics viewer access will be able to see the investigations.


Even if a user does not have access to view an investigation via the Forensics Investigations page, they can still query the results of the collections using an XQL query.

The Permissions fields describe the following information:



User Name

Name of the user as logged in the SettingsAccess ManagementUsers.


The user's email as logged in the SettingsAccess ManagementUsers.

User Type

Indicates whether the user was defined in Cortex XSIAM using the CSP (Customer Support Portal), SSO (single sign-on) using your organization’s IdP, or both CSP/SSO.


Name of the role assigned specifically to the user that is not inherited from somewhere else, such as a User Group. When the user does not have any Cortex XSIAM access permissions that are assigned specifically to them, the field displays No-Role.


Options are None, View, View/Edit