Limit Access to Investigations using RBAC - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-02-14
Last date published
2024-05-30
Category
Administrator Guide
Solution
Cloud
Abstract

Limit access to investigations using RBAC in Cortex XSOAR. Assign a specific role to an incident or assign a role with read only permission.

You can limit access to the investigations using RBAC by either assigning a specific role to the incident (read and write access to the investigation) or by assigning a role with read only permission. This procedure uses the incident_set command to limit investigation permissions but you can also add the Role and XSOAR Read Only rules fields to the Incident Summary page when customizing incident layouts. You can also add these columns to the Incidents table in the Incidents page.

  1. In the Incident page, select the incident you want to restrict access.

  2. Restrict the incident to a role.

    1. In the CLI, type the following command:

      /incident_set roles=<select role>

    2. To check that the role was assigned to the incident, click the War Room tab.

  3. Restrict the incident to a read-only role.

    1. In the CLI, type the following command:

      !setIncident xsoarReadOnlyRoles=<select role>

    2. To check that the role was assigned to the incident, click the War Room tab.

  4. (Optional) For scripts:

    • Use the setIncident command in a playbook.

    • Specify the roles that you want to have access to the incident investigation.