Limit access to investigations using Role-based Access Control in Cortex XSOAR. Assign a specific role to an incident or assign a role with read-only permission.
You can limit access to the investigations using RBAC by either assigning a specific role to the incident (read and write access to the investigation) or by assigning a role with read only permission. This procedure uses the incident_set
command to limit investigation permissions but you can also add the Role
and XSOAR Read Only rules fields to the Incident Summary page when customizing incident layouts. You can also add these columns to the Incidents table in the Incidents page.
In the Incident page, select the incident you want to restrict access.
Restrict the incident to a role.
In the CLI, type the following command:
/incident_set roles=
<select role>
To check that the role was assigned to the incident, click the War Room tab.
Restrict the incident to a read-only role.
In the CLI, type the following command:
!setIncident xsoarReadOnlyRoles=
<select role>
To check that the role was assigned to the incident, click the War Room tab.
(Optional) For automations:
Use the
setIncident
command in a playbook.Specify the roles that you want to have access to the incident investigation.