User permissions - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

You can assign users to the investigation for them to view and manage the investigation.

The Permissions table appears only when Scope-Based Access Control (SBAC) is enabled. Go to Server SettingsScoped Server Access to enable investigation permissions.

Users with account administrator or instance administrator roles have access to investigations and can't be cleared from the Permissions table. They can view and edit all Investigations, including adding/removing users, creating/deleting collections, closing the Investigation. This prevents investigation lockout in the event of a user leaving before the Investigation is complete.

When SBAC is enabled, you can limit access to selected users with other assigned roles, and assign them permissions to the investigation.

If SBAC is disabled, the permissions is limited to role-based access (RBAC), so anyone with forensic investigator or forensics viewer access will be able to see the investigations.


Even if a user does not have access to view an investigation via the Forensics Investigations page, they can still query the results of the collections via an XQL event.

The Permissions fields describe the following information:



User Name

Name of the user as logged in the SettingsAccess ManagementUsers.


The user's email as logged in the SettingsAccess ManagementUsers.

User Type

Indicates whether the user was defined in Cortex XSIAM using the CSP (Customer Support Portal), SSO (single sign-on) using your organization’s IdP, or both CSP/SSO.


Name of the role assigned specifically to the user that is not inherited from somewhere else, such as a User Group. When the user does not have any Cortex XSIAM access permissions that are assigned specifically to them, the field displays No-Role.


Options are None, View, View/Edit