Remove a User - Administrator Guide - EoL - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide
End of Life > EoL

Remove or disable users in Cortex XSOAR.

You can remove or disable a user in Cortex XSOAR. Users can be disabled if they might need access again at a later date; all user information is maintained for disabled users. Users should be permanently removed if they should no longer have access to the system.

If the user is assigned to incidents or tasks or is the owner of a dashboard, these assignments do not automatically change when the user is removed or disabled.


We recommend changing incident and task assignments manually before removing or disabling users.

After you remove or disable a user, any dashboards the user has created can only be deleted by the default admin via the API, using the dashboard ID. To get the dashboard ID, click on the gear icon on the relevant dashboard page, export the dashboard as a JSON file, and copy the dashboard ID from the file. Send a request to /dashboards/:id route. For example, DELETE /dashboards/9dd50ef1-8a2b-48a5-821e-8238a87e2bdc.

Any reports the user has created remain available. Reports are not owned by specific users and can be edited or deleted by other users.


When you remove a user, the user’s API keys are revoked and can no longer be used. When a user is disabled, the user’s API keys are not revoked.

  1. Reassign incidents and tasks.

    1. Go to the Incidents page and search for -status:closed owner:user_name to find any incidents the user is assigned to. Reassign any open incidents to another user.

    2. Go to the Incidents page and search for -status:closed investigation.users:user_name. Reassign tasks to another user.

      When a user is assigned a task in an incident, the user is added to the incident. This search finds all incidents where the user is a participant.

  2. Disable/Remove the user.

    1. Go to Settings Users and RolesUsers.

    2. Select the user you want to disable/remove.

      If the user is a Default Admin user, you need to select Roles and then deselect Set as Default Admin.

    3. Click Disable or Remove.

    4. Confirm that you want to disable/remove the user.