Manage Roles - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Understand and manage roles in Cortex XSOAR, including predefined roles - Instance Administrator, Analyst, and Read-Only.

A role is a set of permissions that determine which actions and resources users within that role are granted access to in Cortex XSOAR. Users are assigned to at least one role, depending on their required level of access.

In the Roles page, you can view the predefined and custom defined user roles. Use roles to assign specific view and action access privileges. The way you configure access depends on the security requirements of your organization. When clicking on the role, you can view the permissions that you have assigned to the role. If you right click on a role, you can do the following:

  • Copy the role by saving as a new role

  • Edit the role

  • Remove the role

  • Copy text to clipboard

  • Copy an entire row


If the role refers to being created by a Palo Alto Networks it is a predefined role.

When you create or edit a role, you can add permissions and permission levels, define shift periods, set default dashboards, etc.

Cortex XSOAR has the following predefined roles:


Default Permissions

Instance Administrator

View/Edit permissions for all components and access to all pages.

Instance Administrators have the same permissions as Account Admin. Account Admin is the role assigned in the CSP and has access to all Cortex XSOAR instances and not just limited to one Cortex XSOAR tenant.


Mix of View and View/Edit permissions for all components and access to all pages.


Read permissions for all components and access to all pages.

The predefined roles provide specific access rights that cannot be changed.


You can assign the following permissions to various components in Cortex XSOAR:




No access to the specified component.


Can view but not edit the specified component.


Can view and edit the specified component.

Permission Levels

You can set permission levels for each component, such as incidents, indicators, jobs, scripts, etc. For more information, see Role-based Permission Levels.