Role-based Permission Levels - Administrator Guide - EoL - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide
End of Life > EoL

RBAC permission levels for Cortex XSOAR components, including investigations, jobs, scripts, playbooks, and settings. Category permission levels for user roles.

When editing rule based control (RBAC) permission levels or creating new roles you can set permission levels to the following Cortex XSOAR components:



Account Management (Multi-tenant)

Enables you to configure and manage the multi-tenant deployment, such as add/delete a host, change hosts, move to HA group, etc.

If you have read or read/write permissions, you can select whether the role can sync content to tenant accounts.Sync Content to Tenant Accounts


Sets the permission level generally for data related to investigations. When Read/Write is selected, you can define the following:

  • Granular data permissions

    • Execute potential harmful actions - allows executing integration commands that are marked as Potentially Harmful in the integration code/settings. You would be able to run this from the XSOAR CLI. Playbook tasks that use these commands would not be affected, as they are run by the DBot user as part of playbook execution.

    • Edit incident properties - allows editing an Incident's fields from the layout or via the Actions menu.

    • Change incident status - allows editing an incident's status, which includes Closing an Incident, or investigating an Incident which is in the Pending status.

    • Delete incident - allows deleting incidents. We recommend only granting this permission to the default Admin or select Administrators.

    • Manage incident Work Plan- allows interacting with the Playbook on the Incident.

    • Edit indicators- allows editing indicators either from the Threat Intel pane, or when viewing the Indicator via it’s full layout or quick view tab.

  • Incident table actions. Limit table actions in the Incidents page, such as delete, edit, close, etc.


If you want to enable chat in the War Room, but exclude permissions for everything else, you should give the role read/write permissions under Data but remove all other granular data permissions. Also remove permissions in Integrations (under Settings). This leaves the role with access to chat only.

Exclusion List

Limits permissions when editing, creating, or deleting an indicator in an exclusion list.


Limits permissions for managing jobs. Roles that have read permissions to content items, retain partial read access. If you do not want to retain partial read access, set the permission to none.


Limits permissions for managing scripts. If the role has read/write permissions, you can enable user roles to create scripts that run as a Super User.


When creating a script, permissions for scripts are determined by the Run as and Role fields in the automation settings. Run as determines the permissions with which the automation runs. Role determines who the automation can be seen and executed by. For more information, see Automation Permissions.

In the Script page, you can define which roles are permitted to run an automation, and according to which role the automation executes.


User roles with scripts permissions (write) can create/edit/delete scripts and access credentials data. Users with such roles should have a higher level of trust in the organization.


Limits permissions for creating, editing and deleting Playbooks.

You can also add, change, and remove roles from a playbook when clicking Settings in the Playbooks page.


You can set the permission level generally for all settings or split them according to the following:

  • Users: Includes invitations and editing permissions.

  • Integrations: Whether a role can add, edit or delete instances. Roles that have read permissions for content items, retain partial read access. If you do not want to retain partial read access, set the permission to none.


    User roles with integration permissions (write) can create/edit/delete integrations and access credentials data. Users with such roles should have a higher level of trust in the organization.

  • API Keys: Whether a role can create/delete API keys, or has read permission.


    • API Key Read + Admin Read: Users can only view their own API keys (a key is attached to the generating user). Users can delete them even if they have read access, but cannot create new ones.

    • API Key Read/Write + Admin Read: Users can only view their own API keys and can create and delete their own keys.

    • API Key Read + Admin Read/Write: Users can see all the keys in the system but delete only their keys. They are not be able to create new ones.

  • Credentials: Whether a role can add, edit, or delete credentials.


Limits permissions for server configurations, editing layouts for indicators and incidents, integration permissions, audit trails and the password policy.

Propagation labels (Multi-tenant)

Enables you to do the following:

Read: Enables you to select from existing propagation labels.Manage Content Overview

Read/Write: Enables you to create new and select from existing propagation labels


View Marketplace: Enables you to view the Marketplace.

Install Content Pack: install, upgrade, downgrade, and delete Content Pack content.

Contribute to Marketplace: Enables you to contribute a Content Pack in the Contributions tab or generally.

Page Access

Select the pages you want the user to have access to.

Default Dashboards

Select the default dashboards for each role. If a user has not modified their dashboard, these dashboards are added automatically, otherwise users can add these dashboards to their existing dashboards.

Pre-set Role Queries

Select the Pre-set Query per Role for each of the available components.

Role Permission Example

In the following example, the user can chat in the War Room, create widgets, create incidents, and set context entries with the !Set command. In addition, the user can view incidents, scripts, and playbooks. The user cannot create indicators.