Step 4. Set up users and roles - Create user groups and roles, manage users in the main tenant, and authenticate users using SAML 2.0 in a multi-tenant deployment. - Administrator Guide - 8.13 - Cortex XSOAR - Cortex

Step 4. Set up users and roles - Create user groups and roles, manage users in the main tenant, and authenticate users using SAML 2.0 in a multi-tenant deployment. - Administrator Guide - 8.13 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product

Cortex XSOAR

Version

8.13

Creation date

2026-02-12

Last date published

2026-05-27

Note

Users, roles and user groups are synced from the main tenant to the child tenants every 3 minutes.

Task 1. Create users

When you create users in the main tenant, only after the child tenant is selected in a user group where the user is defined, does the user have access to the child tenant.

Note

The child tenant cannot update or delete the user that was inherited from the main tenant.
When logging into the child tenant with user credentials defined in the main tenant, the child tenant cannot update the password in User → User Preferences from the User Details page.

Repeat the steps to create users in the child tenant.

Important

The users created in the child tenant can only access the the child tenant they were created in.

How to create users:

On the main tenant, select Settings & Info → Settings → Access Management → Users → Add User.
Important
Users can only access the child tenants after being added to a user group that includes the child tenants.
1. In the Send Invitation section, select one of the following:
  - Manually enter users
    Add the email address and first and last names.
    Add the user.
    Repeat the above steps for any other users you want to add, if they have the same role, user group, or no role.
    (Optional) Select the Role and User Group, if relevant.
    You cannot select different roles and user groups for multiple users.
    Note
    Users created on a child tenant can’t be assigned to a user group or role that was set up in the main tenant.
    Invite the users.
  - Upload a file
    (Optional) Download the example file.
    Add the users' details to the file and upload it.
    Note
    The file must be in a CSV format.
    At least one row must exist including email address, first and last names.
    You cannot select different roles and user groups for each user. If you want different roles and user groups for each set of users upload separate files.
    (Optional) Select the role and User Group.
    Invite the users.
    If you want to invite additional users, repeat these steps.
2. In the Send Invitation section, select one of the following:
  If you have set up a mail integration, users will receive a link to access Cortex XSOAR. When accessing the link, users need to complete the password and will be able to log in.
3. Unless already done so, add roles and user groups to users.

Task 2. Create roles

When you create roles in the main tenant, only after the child tenant is selected in a user group where the role is defined, is the role activated in the child tenant.

Note

The child tenant cannot update or delete the role that was inherited from the main tenant.
The main tenant and the child tenant cannot define the same roles. Each role must be unique.

Repeat the steps to create roles in the child tenant.

Important

The roles created in the child tenant are only accessible from the the child tenant they were created in.

How to create roles:

In the main tenant, select Settings & Info → Settings → Access Management → Roles → New Role.
Tip
We recommend making a copy of out-of-the-box roles and editing the copies, rather than creating new roles, to avoid missing any important permissions.
1. Add the Role name and a meaningful Description.
2. In the Components tab, add the permissions as required. For more information, see Role-based permissions.
3. In the Advanced tab, do the following:
  - Define dashboards
  - Define preset role queries
  - Set up shift management
4. Save the role.
5. You can create user groups and add roles to them (recommended), assign roles directly to users after they have been added, or both.

Task 3. Create a user group

Users are assigned roles and permissions either by being assigned a role directly or by being assigned membership in one or more user groups. A user group can only be assigned to a single role, but users can be added to multiple groups if they require multiple roles. You can also nest groups to achieve the same effect. Users who have multiple roles through either method will receive the highest level of access based on the combination of their roles.

On the User Groups page, you can create a new user group for several different system users or groups. You can see information including the details of all user groups, the roles, nested groups, IdP groups (SAML), and when the group was created/updated.

You can also right-click in the table to edit, save as a new group, remove (delete) a group, and copy text to the clipboard.

How to create a user group:

Go to Settings & Info → Settings → Access Management → User Groups.

Important

In order for users in the Main Tenant to access the child tenants, they need to be assigned a user group that has access to the child tenant.
User groups created on the Main Tenant, cannot be edited or deleted from the child tenants.

To create a new user group for several different system users or groups, click New Group, and add the following parameters:

Parameter	Description
Name	Name of the user group.
Description	Description of the user group.
Role	Select the group role associated with this user group. You can only have a single role designated per group.
Users	Select the users you want to belong to this user group. Note If users have been created locally, but you want them to access the tenant through SSO only, skip this field and add only SAML group mapping after SSO is set up, otherwise, users can access the tenant through their username and password and and through SSO. If you have not yet created any users, skip this field and add them later. See Set up authentication.
Nested Groups	Lists any nested groups associated with this user group. If you have an existing group you can add a nested group. User groups can include multiple users and nested groups, which inherit the permissions of parent user groups. The user group will have the highest level of permission. For example: Group A has Tier-1 Analyst permissions Group B has Tier-2 Analyst permissions If you add Group A as a nested group in Group B, Group A inherits Group B's permissions (Tier-1 and Tier-2 permissions). In Cortex Gateway, you can only add user groups that are created in Cortex Gateway.
SAML Group Mapping	(Relevant when creating a user group in the Cortex XSOAR tenant only). Maps the SAML group membership to this user group. For example, you have defined a `Cortex XSOAR Admins` group. You need to name this group exactly how it appears in Okta. You can add multiple groups by separating them by a comma. Note When using Azure AD for SSO, the SAML group mapping needs to be provided using the group object ID (GUID) and not the group name. If you have not set up SSO in your tenant, skip this field and add it later. After you have added it, follow the procedure relevant to your IdP. For example, see Task 6. Map SAML Group Memberships to Cortex XSOAR User Groups.
Available Tenants (Only available in Main Tenant)	Displays the list of child tenants that are paired with the main tenant. Users and roles in the child tenant are updated from the main tenant only when the user group created includes the child tenant and the role and user defined in the main tenant. Note User groups created on the Main Tenant, cannot be edited or deleted from the child tenants.

Create a new user group.