Self-Service Read-Only Users - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-07-30
End_of_Life
EoL
Category
Administrator Guide
Abstract

Self service read-only users enables users without an account the option to view limited data and create incidents in Cortex XSOAR.

The self service read-only users feature provides users who do not have an account and at least one role mapped in Cortex XSOAR the ability to access Cortex XSOAR in a very limited capacity.

Self service read-only users can:

  • create incidents

  • view their own incidents

  • add notes and attachments to their incidents

  • view the dashboards created for them by the administrator

An example of an incident that a self-service read-only user could create is to report that they lost their laptop.

Self-service read-only users can only view their own data. They cannot:

  • start an investigation

  • create dashboards or reports

  • change anything in incidents they create

In order to create notes, the self-service read-only user must mark the Mark as a note option.

It is recommended, but not required, that self-service read-only users have an existing account in the company’s enterprise directory and Cortex XSOAR is configured to authenticate and authorize read-only users using the same enterprise directory with LDAP, AD, or SAML authentication protocols.

A user is considered as a self-service read-only user if the user has no role associated with the Cortex XSOAR users settings.

To enable the self-service read-only user feature, Cortex XSOAR administrators need to:

  • Set server configuration parameters to:

    • Allow authenticated users without roles to access the home page.

    • Define the list of dashboards such users have access to.

  • Create self-service read-only incident types. Since self-service read-only users cannot initiate an investigation, the playbooks associated with these incident types should run automatically.

  • Create self-service read-only users if no enterprise directory is configured with Cortex XSOAR.

  • Create incident layouts for self-service read-only users and allow self-service read-only users to access the incidents tabs containing such layouts.

  • Create and share dashboards for self-service read-only users.