Manage user roles and access management - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn how to manage access for users, user roles, user groups, and Single Sign-On (SSO) for users on a specific Cortex XSIAM tenant.

You can manage access for users, and create and assign user roles and user groups for a specific tenant. When Single Sign-On (SSO) is enabled, you can manage SSO for users.


You can manage access permissions and activities for users allocated to a specific Customer Support Portal account and tenant.

User roles

User roles enable you to define the type of access and actions a user can perform. User roles are assigned to users, or to user groups.

Cortex XSIAM provides predefined built-in user roles that provide specific access rights that cannot be modified. You can also create custom, editable user roles.

You can also set dataset access permissions using user roles or set specific permissions using role-based access control (RBAC). Configuring administrative access depends on the security requirements of your organization. Dataset permissions control dataset access for all components, while RBAC controls access to a specific component. By default, dataset access management is disabled, and users have access to all datasets. If you enable dataset access management, you must configure access permissions for each dataset type, and for each user role. When a dataset component is enabled for a particular role, the Alert and Incidents pages include information about datasets.

User groups

You can use user groups to streamline configuration activities by grouping together users whose access permission requirements are similar. Import user groups from Active Directory, or create them from scratch in Cortex XSIAM.

Single Sign-On

Manage your SSO integration with the Security Assertion Markup Language (SAML) 2.0 standard to securely authenticate system users across enterprise-wide applications and websites, with one set of credentials. This configuration allows system users to authenticate using your organization's Identity Provider (IdP), such as Okta or PingOne. You can integrate any IdP with Cortex XSIAM supported by SAML 2.0.

SSO with SAML 2.0 configuration activities are dependent on your organization’s IdP. Some of the field values need to be obtained from your organization’s IdP, and some values need to be added to your organization’s IdP. It is your responsibility to understand how to access your organization’s IdP to provide these fields, and to add any fields from Cortex XSIAM to your IdP.

After SSO configuration is complete, when you sign in as an SSO user, the Cortex XSIAM permissions granted to you after logging in, either from the group mapping or from the default role configuration, are effective throughout the entire session for the defined maximum session length. Maximum session length is defined in your Cortex XSIAM Session Security Settings. This applies even if the default role configuration is updated, or the group membership settings were changed.