Access Management

Cortex® XDR™ enables you to manage roles for a specific tenant using the
Access Management
console.
You can manage roles for a specific tenant only using the Cortex® XDR™
Access Management
console.
To create and assign roles, you must first activate your Cortex XDR tenant and be assigned a XDR Account Admin role in the Cortex XDR Gateway.
The
Access Management
console is divided into two subcategories,
Users
and
Roles
, which you can view on separate pages.
In the
Users
page, Cortex XDR lists all the users allocated to a specific tenant name. The
Users
table provides different fields of information as detailed below. At the top of the page, you can perform the following actions.
  • Import Multiple User Roles
    as a CSV (Comma-separated values) file.
  • Show User Subset
    to display only the users who are not designated as a
    Hidden
    user (default).
  • View By
    Users
    (default) or
    Tenants
    .
  • User Name
    —Displays the first and last name of the user.
  • Email
    —Email address of the user.
  • XDR Role
    —Name of the role assigned to the user. When the user does not have any Cortex XDR access permission, the field displays
    No-Role
    .
  • Endpoint Scope
    —Displays the currently assigned Endpoint Scope for the user as either
    All Endpoints
    or
    Specific Groups
    .
  • Last Login Time
    —Last date and time the user accessed the tenant.
  • Status
    —Displays whether the user is
    Active
    or
    Inactive
    .
In the
Roles
page, Cortex XDR lists the Predefined User Roles for Cortex® XDR™ and custom defined roles. Use roles to assign specific view and action access privileges to administrative user accounts. The way you configure administrative access depends on the security requirements of your organization. The built-in roles provide specific access rights that cannot be changed. The roles you create provide more granular access control.
  • Role Name
    —Name of the role.
  • Created By
    —Displays either the email address of the user who created a custom role or for predefined roles one of the following options are displayed.
    • Palo Alto Networks
      —Predefined role granting user permissions in all tenants.
    • <
      user email address
      > —Custom role created in the gateway granting user permission to this tenant.
    • <
      user email address
      > —Custom role created in the Cortex XDR app granting user permission to this specific tenant.
  • Description
    —Description of the role.
  • Creation Time
    —Date and time when the role was created. The field is available for only a custom role.
  • Update Date
    —Date and time of when the role was last updated. The field is available for only a custom role.
  • Custom
    —Displays a boolean value of either
    Yes
    or
    No
    to indicate whether the role is a custom role.
When creating a
New Role
or editing an existing role, you can manage roles for all Cortex XDR apps and services in the
Components
section of the
Create Role
window. By assigning roles, you enforce the separation of viewing access and initiating actions among functional or regional areas of your organization.
  1. Select
    Settings ( )
    Configurations
    Access Management
    .
  2. Manage your Cortex XDR users and roles.
    Cortex XDR only displays the roles available on your tenant. To view the roles and permissions for multiple tenants, see Permission Management.
    In the
    Roles
    table, the following options are available to help you manage roles.
    • Create a custom role based on Cortex XDR Predefined roles.
      1. Locate the predefined role that you want to base your custom role on, right-click, and select
        Save As New Role
        .
      2. Specify a
        Role Name
        and update the
        Description
        .
      3. In the
        Components
        section, update the
        Views
        and
        Actions
        permissions you want the role to include.
      4. Create
        the role.
    • Create and save new roles based on the granular permission.
      1. Select
        New Role
        .
      2. Specify a
        Role Name
        and
        Description
        .
      3. In the
        Components
        section, select the
        Views
        and
        Actions
        permissions you want the role to include.
      4. Create
        the role.
    • Edit role permissions (only available for roles you create).
      1. Locate the custom role you want to edit, right-click, and select
        Edit Role
        .
      2. In the
        Components
        section of the
        Edit Role
        window, update the
        Views
        and
        Actions
        permissions you want the role to include.
      3. Edit
        the role.
  3. Assign roles to a Cortex XDR user.
    In the
    Users
    page, the following options are available to help you manage users. You can assign roles to one or more users at a time.
    • Update user role for users with an exiting role.
      1. You can either hover over the user name and select the
        Update User Role
        icon ( ), located to the right of the row, or right-click the user name and select
        Update User Role
        .
      2. Select a
        Role
        from the list of default and custom roles that you want to assign the user and
        Update
        the role.
    • Deactivate a user.
      Locate the user you want to deactivate, right-click, and select
      Deactivate User
      .
      You cannot deactivate a user that has a CSP Super User or Account Admin role.
    • Remove a role assigned to a user.
      1. Locate the user you want to remove the role from, right-click, and select
        Remove Role
        .
      2. Click
        Remove
        .
        You cannot remove a user that has a CSP Super User or Account Admin role.
    • Designate a user as hidden.
      Locate the user you want to hide, right-click, and select
      Hide User
      . When a user is designated as hidden, the user will no longer be displayed in the
      Users
      table when the table is configured to
      Show User Subset
      (default configuration). This is useful, for example, when you have users, who are not related to Cortex XDR and will not be designated with a Cortex XDR role, such as CSP Super Users, and you want to hide them from the list.
    • Copy text to clipboard
      to copy text from a specific row field in the row of a user.
    • Copy entire row
      to copy the text from all the fields in a row of a user.

Recommended For You