User management - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2025-02-16
Category
Administrator Guide
Solution
On-prem
Abstract

Invite users to the platform and set user roles and user groups in Cortex XSOAR On-prem.

To access Cortex XSOAR, users must either be added to Cortex XSOAR locally or via SSO. When logging into Cortex XSOAR users must have an assigned role. If no role is assigned either directly or via a user group, users can log in but can't access the tenant.

On the Users page, you can view user information, such as user type, role, and user groups.

User information

Name

Description

User Type

Indicates whether the user was Local (added in Cortex XSOAR), SSO (single sign-on) using your organization’s IdP, or both Local/SSO.

For information about enabling SSO in Cortex XSOAR, see Authenticate users using SSO.

Direct Role

Name of the role assigned to the user (not inherited from elsewhere, such as a User Group).

Groups

Lists the user groups to which a user belongs.

Any group imported from Active Directory has the letters AD added beside the group name.

If a user is assigned to multiple user groups, which are mapped to different roles, or if the user is assigned to nested user groups, the user has the highest level of privileges based on the combination of roles.

Group Roles

Lists the different group roles based on the groups to which the user belongs. When you hover over the group role, the group associated with this role is displayed.

Last Login Time

Last date and time the user accessed Cortex XSOAR.

Status

Displays whether the user is Active or Inactive

Phone number

Displays the user's phone number. Including the user's phone number enables playbooks and scripts to trigger direct analyst communication by phone.

To add users locally (not SSO), you can either send an invitation to users by adding their details manually or by uploading a CSV file with multiple users. See Create users in Cortex XSOAR.

You can update user roles for one or multiple users. You can add/update the following user roles:

  • Pre-Defined roles: Instance Administrator and Account Admin.

  • Custom roles: Includes out-of-the-box roles and roles.

Note

To update the permissions attributable to each role, you need to change them in the Roles tab.

  1. Go to Settings & InfoSettingsAccess ManagementUsers, and do one of the following:

    • To edit one user, right-click the user's name and select Edit Users Permissions.

    • To edit multiple users, select multiple users, right-click, and select Edit Users Permissions.

  2. In the Role field, select one of the pre-defined or custom roles.

  3. Add User Groups if required.

  4. Save the user role.

Note

If no role is assigned either directly or via a user group, users do not have view or edit permissions in Cortex XSOAR.

The Show Accumulated Permissions field shows the roles and user groups assigned to the user. You can also select the specific roles assigned to the user, which enables you to compare available permissions based on the roles selected. This can help you understand how the role permissions for a particular user are built. For example, if you need to isolate a specific component, the permissions are provided by a particular role or user group.

If a user has a role in the tenant (besides Account Admin), you can remove their user permission to access the tenant. If no direct or user group role has been assigned, the user has no permission to view or edit data in Cortex XSOAR.

  1. In the Users tab, right-click the user's name and select Remove User Role.

  2. Confirm that you want to Remove the user role.

If the user's account has been locked, for example, due to too many login attempts, you can unlock the user.

Note

The user has up to 10 attempts to log in before being locked. In any event, the user will be unlocked after 15 minutes.

  1. Go to Settings & InfoSettingsAccess ManagementUsers and select the user.

  2. Right-click the user and then select Unlock.

    The user's status changes to Active.

Users should be deactivated to temporarily remove user access to Cortex XSOAR. All user information is maintained for deactivated users. Users should be permanently removed if they no longer need access to Cortex XSOAR.

Note

You cannot deactivate or delete a user that has an Account Admin role.

If the user is assigned to incidents or tasks or is the owner of a dashboard, these assignments do not automatically change when the user is removed or deactivated. We recommend changing incident and task assignments manually before removing or deactivating users.

Any reports the user has created remain available. Reports are not owned by specific users and can be edited or deleted by other users.

Note

When you remove a role, the role associated with the API keys is deleted.

  • If more than one role was associated with the API key, a yellow warning symbol appears next to the API key in the API key table. When you hover over the symbol, a message indicates that some of the roles associated with the API key have been deleted.

  • If all roles associated with the API key are removed, a red warning symbol appears next to the API key in the API key table. When you hover over that symbol, a message indicates that the key is no longer usable because it does not have a role associated with it. The API key is still visible in the API table but it cannot be assigned.

When a user is deactivated, the API keys that the user created are not revoked.

Before you begin:

  • Reassign open incidents to another user.

    Go to the Incidents page and search for -status:closed owner:user_name to find any incidents the user is assigned and reassign.

  • Reassign tasks to another user.

    Go to the Incidents page and search for -status:closed investigation.users:user_name and reassign.

    When a user is assigned a task in an incident, the user is added to the incident. This search finds all incidents where the user is a participant.

How to deactivate users
  1. Go to Settings & InfoSettingsAccess ManagementUsers and select the user.

  2. Right-click the user and then select Deactivate User and then Deactivate to confirm.

In Cortex XSOAR, you can permanently remove a user, or temporarily disable a user. Users should be permanently removed if they no longer need access to the system.

Note

You cannot deactivate or delete a user that has an Account Admin role.

When you delete users, all their personal information is deleted, including email addresses, usernames, phone numbers, and first and last names.

Before you begin:

  • Reassign open incidents to another user.

    Go to the Incidents page and search for -status:closed owner:user_name to find any incidents the user is assigned and reassign.

  • Reassign tasks to another user.

    Go to the Incidents page and search for -status:closed investigation.users:user_name and reassign.

    When a user is assigned a task in an incident, the user is added to the incident. This search finds all incidents where the user is a participant.

How to delete users
  1. Go to Settings & InfoSettingsAccess ManagementUsers and select the user.

  2. Right-click the user and then select Delete User and then Delete to confirm.

Note

You can also delete a Single Sign-on (SSO) user. This option is only available when you’ve enabled SSO in Cortex XSOAR.