Assign user roles and groups - Administrator Guide - Cortex XSIAM - Cortex

Abstract

Learn how to assign users to roles and user groups.

After activating your Cortex XSIAM tenant, you can start to manage user roles and permissions. Cortex XSIAM uses role-based access control (RBAC) to manage roles with specific permissions for controlling user access. RBAC helps manage access to Cortex XSIAM components, so that users, based on their roles, are granted minimal access required to accomplish their tasks.

You can manage user roles from the following:

Cortex Gateway: Manage roles and permissions for multiple tenants linked to the same Customer Support Portal account.
When you activate a tenant for the first time, users who were created in the Customer Support Portal will have access to the tenant but will not have a role. The gateway is usually used to assign roles after the activation process. Roles and permissions are applied across all tenants and all Cortex products. You can exclude different tenants or different Cortex products. For more information, see the Cortex Gateway Administrator Guide.
Cortex XSIAM Access Management: Manage roles and permissions, and authentication settings for a specific Cortex XSIAM tenant only. For more information, see Manage user access.

Assign roles directly to users or create user groups and assign roles to those groups. We recommend creating user groups (with a user role), and assigning users to those user groups rather than creating direct roles for each user.

Role-based access control (RBAC) enables you to use predefined Palo Alto Networks roles to assign access rights to Cortex XSIAM users. You can manage roles for all Cortex XSIAM tenants and services in the Gateway or in the Cortex XSIAM tenant. By assigning roles, you enforce the separation of access among functional or regional areas of your organization.

Each role extends specific privileges to users. The way you configure administrative access depends on the security requirements of your organization. Use roles to assign specific access privileges to administrative user accounts.

You can manage role permissions in Cortex XSIAM , which are listed by the various components according to the sidebar navigation in Cortex XSIAM. Some components include additional action permissions, such as pivot (right-click) options, to which you can also assign access, but only when you’ve given the user View/Edit permissions to the applicable component.

The default Palo Alto Networks roles provide a specific set of access rights to each role. You cannot edit the default roles directly, but you can save them as new roles and edit the permissions of the new roles. To view the predefined permissions for each default role, go to Settings → Configurations → Access Management → Roles.

Note

Some features are license-dependent. Accordingly, users may not see a specific feature if the feature is not supported by the license type or if they do not have access based on their assigned role.

Default Role	Description
Account Admin	A Super User role that is assigned directly to the user in the Cortex Gateway and has full access to all Cortex products in your account, including all tenants added in the future. The Account Admin can assign roles for Cortex instances and activate Cortex tenants specific to the product. Note The user who activated the Cortex product is assigned the Account Admin role. You cannot create additional Account Admin roles in the Cortex XSIAM tenant. If you do not want the user to have Account Admin permission, you need to remove the Account Admin role in the Cortex Gateway.
Instance Administrator	View and edit permissions for all components and access all pages in the Cortex XSIAM tenant. The Instance Administrator can also make other users an Instance Administrator for the tenant. If the tenant has predefined or custom roles, the Instance Administrator can assign those roles to other users.
Deployment Admin	Manage and control endpoints and installations, and configure Broker VMs.
Investigator	View and triage alerts and incidents.
Investigation Admin	View and triage alerts and incidents, configure rules, view endpoint profiles and policies, and analytics management screens.
Responder	View and triage alerts, and access all response capabilities excluding Live Terminal.
Privileged Investigator	View and triage alerts, incidents, and rules, view endpoint profiles and policies, and analytics management screens.
Privileged Responder	View and triage alerts and incidents, access all response capabilities, and configure rules, policies, and profiles.
IT Admin	Manage and control endpoints and installations, configure Broker VMs, view endpoint profiles and policies, and view alerts.
Privileged IT Admin	Manage and control endpoints and installations, configure Broker VMs, create profiles and policies, view alerts, and initiate Live Terminal.
Privileged Security Admin	Triage and investigate alerts and incidents, and respond to and edit profiles and policies.
Viewer	View the majority of the features for this instance and can edit reports.
Scoped Endpoint Admin	Can only access product areas that support endpoint scoped-based access control (SBAC) - Endpoint Administration, Action Center, Response, Dashboards and Reports.
Security Admin	Can triage and investigate alerts and incidents, respond (excluding Live Terminal), and edit profiles and policies.
App Service Account	View and triage alerts, incidents, and rules, and support public APIs relevant for apps.

Cortex XSIAM provides predefined built-in user roles that provide specific access rights that cannot be modified. You can also create custom, editable user roles. If a user does not have any Cortex XSIAM access permissions that are assigned specifically to them, the field displays No-Role.

Select Settings → Configurations → Access Management → Users.
Right-click the relevant user, and select Edit User Permissions.
Tip
To apply the same settings to multiple users, select them, and then right-click and select Edit Users Permissions.
Under Role, select the default or custom role.
(Optional) Under User Groups, add the user to a group.
(Optional) Under Show Accumulated Permissions:
1. Do one of the following:
  - Select all to view the combined permissions for every role and user group assigned to the user.
  - Select a specific role assigned to the user to view the available permissions for that role.
2. Under Components, expand each list to view the permissions.
(Optional) If Scope-Based Access Control is enabled for the tenant, click Scope and select a tag family and the corresponding tags.
Guidelines for selecting tags
Keep in mind the following:
Roles defined as administrator or a part of the admin group can't be scoped.
If you select a tag family without specific tags, permissions apply to all tags in the family.
The scope is based only on the selected tag families. If you scope only based on tags from Family A, then Family B is disregarded in scope calculations and is considered as allowed.
You can also set user access permissions for the various Cortex Query Language (XQL) datasets.
Click Save.

Users are assigned roles and permissions either by being assigned a role directly or by being assigned membership in one or more user groups. A user group can only be assigned to a single role, but users can be added to multiple groups if they require multiple roles. You can also nest groups to achieve the same effect. Users who have multiple roles through either method will receive the highest level of access based on the combination of their roles.

Example 1.

Jane has an analyst role and is a member of the Tier-1 Analyst user group, which is assigned the Triage role. Jane has the permissions of an analyst and the Triage role. Jane is assigned 2 roles, and has the highest permission based on the combination of both roles.
John is a member of two user groups - Tier-1 Analyst and Tier-2 Analyst. Each group is configured to use a different role - Triage role and Incident Response role. John is assigned both roles and has the highest permissions based on the combination of all roles.
Jack is a member of the Tier-3 user group which has a Threat Hunter Role. This user group also includes a Tier-2 user group (Incident response role), added as a nested group. Jack is assigned both roles and has the highest permissions based on the combination of all roles.

On the User Groups page, you can create a new user group for several different system users or groups. You can see the details of all user groups, the roles, nested groups, IdP groups (SAML) when the group was created/updated, etc.

You can also right-click in the table to perform actions such as edit, save as a new group, remove (delete) a group, and copy text to the clipboard.

Note

You can create user groups in the tenant or the Cortex Gateway. If created in the Cortex Gateway, they cannot be mapped to SAML groups. Only groups that are created in the tenant support SAML group mapping. We recommend creating user groups in the Cortex XSIAM tenant because user groups are available for all tenants and you may want different user groups in different tenants, such as dev/prod.

Go to Settings & Info → Settings → Access Management → User Groups.
If creating in the Cortex Gateway, go to Permission Management → User Groups.

To create a new user group for several different system users or groups, click New Group, and add the following:

Field	Description
Name	Name of the user group.
Description	Description of the user group.
Group for product	(Cortex Gateway only) If you have other products, select the relevant Cortex product.
Role	Select the group role associated with this user group. You can only have a single role designated per group. In the Cortex Gateway, you can only select either Instance Administrator or a custom role created in the Gateway.
Users	Select the users you want to belong to this user group.
Nested Groups	Lists any nested groups associated with this user group. If you have an existing group you can add a nested group. User groups can include multiple users and nested groups, which inherit the permissions of parent user groups. The user group will have the highest level of permission. For example: Group A has Tier-1 Analyst permissions Group B has Tier-2 Analyst permissions If you add Group A as a nested group in Group B, Group A inherits Group B's permissions (Tier-1 and Tier-2 permissions). In the Cortex Gateway, you can only add user groups that are created in the Cortex Gateway.
SAML Group Mapping	(Relevant when creating a user group in the Cortex XSIAM tenant only). When SSO is enabled you can see your organization's Identity Provider (IdP groups), which are automatically mapped to the user group. Note When using Azure AD for SSO, the SAML group mapping needs to be provided using the group object ID (GUID) and not the group name.

Click Create to create a new user group and assign the relevant users to the group.

Perform additional tasks

For more information about additional tasks such as creating a custom role, modifying a user's role, or removing a user's role, see Manage user access or the Cortex Gateway Administrator Guide.

Assign user roles and groups - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Note

Note

Tip

Note

Note

Perform additional tasks