Remove or disable users in Cortex XSOAR.
You can remove or disable a user in Cortex XSOAR. Users can be disabled if they might need access again at a later date; all user information is maintained for disabled users. Users should be permanently removed if they should no longer have access to the system.
If the user is assigned to incidents or tasks or is the owner of a dashboard, these assignments do not automatically change when the user is removed or disabled.
Tip
We recommend changing incident and task assignments manually before removing or disabling users.
After you remove or disable a user, any dashboards the user has created can only be deleted by the default admin via the API, using the dashboard ID. To get the dashboard ID, click on the gear icon on the relevant dashboard page, export the dashboard as a JSON file, and copy the dashboard ID from the file. Send a request to
/dashboards/:id route
. For example, DELETE /dashboards/9dd50ef1-8a2b-48a5-821e-8238a87e2bdc
.
Any reports the user has created remain available. Reports are not owned by specific users and can be edited or deleted by other users.
Note
When you remove a user, the user’s API keys are revoked and can no longer be used. When a user is disabled, the user’s API keys are not revoked.
Reassign incidents and tasks.
Go to the Incidents page and search for
-status:closed owner:
to find any incidents the user is assigned to. Reassign any open incidents to another user.user_name
Go to the Incidents page and search for
-status:closed investigation.users:
. Reassign tasks to another user.user_name
When a user is assigned a task in an incident, the user is added to the incident. This search finds all incidents where the user is a participant.
Disable/Remove the user.
Go to
→ → .Select the user you want to disable/remove.
If the user is a Default Admin user, you need to select Roles and then deselect Set as Default Admin.
Click
or .Confirm that you want to disable/remove the user.