Roles in Cortex XSOAR - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-12-04
End_of_Life
EoL
Category
Administrator Guide
Abstract

The default admin is the super user role in XSOAR. Administrator, Analyst, and Read-Only roles are defined by the read-write level of access to XSOAR components.

A role is a set of permissions that determine which actions and resources users within that role are granted access in Cortex XSOAR. Users are assigned to at least one role, depending on their required level of access.

You can add as many roles as you require, by clicking New. To create a new role, see define a role. Follow the same steps when editing a role. When defining a new role, you can add permissions, SAML and AD Roles, define shift periods and so on.

Cortex XSOAR has the following assigned roles:

Role

Default Permissions

Administrator

Read/Write permissions for all components and access to all pages.

Default Administrators have the same permissions as administrators with a few additional permissions such as view audit log incidents. Default administrators are usually used for troubleshooting.

Analyst

Mix of Read and Read/Write permissions for all components and access to all pages.

Read-Only

Read permissions for all components and access to all pages.

Permissions

You can assign the following permissions to various components in Cortex XSOAR:

Permission

Description

None

No access to the specified component.

Read

Can view but not edit the specified component.

Read/Write

Can view and edit the specified component.

Permission Levels

You can set permission levels for each component, such as incidents, indicators, jobs, scripts, etc. For more information, see Role-based Permission Levels.

If you want to manage shift periods for users, including who is on call and to whom to assign, you can define a role for a specific shift period and then assign that shift to a user.

Default Administrator

Default administrators are usually used for troubleshooting, they are not counted as license users, cannot be deleted, and are also tenant administrators.

The default administrator can view all incidents (including those that are marked as restricted) and view modifications to restricted incidents in the Audit Trail. To prevent the default administrator from viewing these restricted incidents, set the incident.restrict.default.admin property to true.

The following table describes the administrator and default administrator permissions:

Component

Permission

Users and Roles

  • Change the role of users

  • View all users' invitations

  • View all users

  • Enable/disable other users

API Keys

  • Revoke all API keys

  • Create/update API keys for other users

Incidents

  • Change any incident field

  • Edit and view any incident

(Default Administrator)

  • View the audit log of any incident.

  • View any incident (without being part of the incident's team).

Integrations

(Default Administrator) Trigger the integration fetch command.

Dashboards

  • Unshare

  • Delete

  • Set default dashboards

Automation

Run all automations.

Playbooks

  • Change playbook task assignees and complete an task

  • View all scripts/playbooks/all data

Multi-Tenant

View all tenant accounts.

File Entries

(Default Administrator) Delete file entries from the file system

You can Set the User as Default Administrator and Change the Default Administrator to a SAML User.