Manage users in the Cortex XSOAR tenant - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-14
Category
Administrator Guide
Solution
Cloud
Abstract

On the Users page, view user information, and edit users and their roles.

To access Cortex XSOAR users must be created in the Customer Support Portal (CSP) and added to the tenant or created via SSO. When logging into Cortex XSOAR users must have a direct role or user group role. If no role is assigned either directly or via a user group, they cannot view/edit any data when logging in.

Note

To remove users that were added to your CSP account, you need to do this in the CSP and not in the tenant or Cortex Gateway.

When right-clicking a user on the Users page, you can do the following:

  • Add/update the user role

  • Edit user permissions

    View the user's details. You can add a phone number, which enables playbooks and scripts to trigger direct analyst communication by phone.

  • Remove User Role

  • Hide the User

  • Deactivate User

  • Import user roles

You can update user roles for one or multiple users. You can add/update the following user roles:

  • Pre-Defined roles: Instance Administrator and Account Admin. If you want to remove the Account Admin role from a user you need to remove it in Cortex Gateway.

  • Custom roles: Includes out-of-the-box roles and roles created in Cortex Gateway or the tenant.

Note

To update the permissions attributable to each role, you need to change them in the Roles tab or Cortex Gateway.

If users have been created in the CSP, but you want them to access the tenant through SSO only, you should not assign a direct role. If you sign a direct role, users can access the tenant through both the CSP and SSO.

  1. Go to Settings & InfoSettingsAccess ManagementUsers, and do one of the following:

    • To edit one user, right-click the user's name and select Edit Users Permissions.

    • To edit multiple users, select multiple users, right-click, and select Edit Users Permissions.

  2. In the Role field, select one of the pre-defined or custom roles.

    • Pre-Defined Roles

    • Custom roles

    If no role is assigned either directly or via a user group, users do not have view or edit permissions in Cortex XSOAR.

    The Show Accumulated Permissions field shows the roles and user groups assigned to the user. You can also select the specific roles assigned to the user, which enables you to compare available permissions based on the roles selected. This can help you understand how the role permissions for a particular user are built. For example, if you need to isolate a specific component, the permissions are provided by a particular role or user group.

  3. Add User Groups if required.

  4. Save the user role.

Rather than assigning roles to each user, you can import multiple user roles to add users who have a Customer Support Portal account and assign them existing predefined or custom roles in Cortex XSOAR. On the Users page, when clicking Import Multiple User Roles, download the example file and replace the file contents with the data to upload. The following values must be included:

Parameter

Value

User email

The email address of the user belonging to the Customer Support Portal account that you want to import.

Role name

The name of the role that you want to assign to this user. The role must already be created in Cortex XSOAR.

Is an account role (default=false)

Determines whether the user role is created in Cortex Gateway or the tenant. If defined in Cortex Gateway, set the value to True, otherwise, the value is set to false (default).

If a user has a role in the tenant (not Account Admin), you can remove their user permission to access the tenant. If no direct or user group role has been assigned, the user role displays No Role, and has no permission to view or edit on Cortex XSOAR.

  1. In the Users tab, right-click the user's name and select Remove User Role.

  2. Confirm that you want to Remove the user role.

Users should be deactivated to temporarily remove user access to the Cortex XSOAR tenant. All user information is maintained for deactivated users. Users should be permanently removed from the CSP if they no longer need access to Cortex products. If you want to remove a user from the CSP, you need to reassign incidents and tasks to another user before removing them.

Note

You cannot deactivate a user that has an Account Admin role. If you want to deactivate users from all tenants, you need to deactivate them in Cortex Gateway.

The user will be deactivated in the tenant, but may still be active in other tenants. If you want to deactivate the tenant for multiple tenants, deactivate the user in Cortex Gateway.

If the user is assigned to incidents or tasks or is the owner of a dashboard, these assignments do not automatically change when the user is removed or deactivated. We recommend changing incident and task assignments manually before removing or deactivating users.

Any reports the user has created remain available. Reports are not owned by specific users and can be edited or deleted by other users.

Note

When you remove a role, the role associated with the API keys is deleted.

  • If more than one role was associated with the API key, a yellow warning symbol appears next to the API key in the API key table. When you hover over the symbol, a message indicates that some of the roles associated with the API key had been deleted.

  • If all roles associated with the API key are removed, a red warning symbol appears appears next to the API key in the API key table. When you hover over that symbol, a message indicates that the key is no longer usable because it does not have a role associated with it. The API key is still visible in the API table but it cannot be assigned.

When a user is deactivated, API keys that the user created are not revoked.

Before you deactivate a user:

  • Reassign open incidents to another user.

    Go to the Incidents page and search for -status:closed owner:user_name to find any incidents the user is assigned and reassign.

  • Reassign tasks to another user.

    Go to the Incidents page and search for -status:closed investigation.users:user_name and reassign.

    When a user is assigned a task in an incident, the user is added to the incident. This search finds all incidents where the user is a participant.

How to deactivate users
  1. From the Users page, right-click the user's name and select Deactivate User.

  2. In the dialog box, Deactivate the user.

Hides users from the user list in the tenant. This is useful when you have users who are not related to Cortex XSOAR and will not be designated with a Cortex XSOAR role, such as CSP Super Users, and you want to hide them from the list.

You cannot view the user or search for the user when hidden. To hide a user, select the name, right-click the user's name, and select Hide user. The user is no longer displayed when the table is configured to Hide Hidden users (default). To view the user, select ActionsShow Hidden users. If you want to remove the hidden designation, right-click the user's name and select Unhide user.