Manage User Scope

Cortex XDR supports the scoping of users to particular endpoint groups.
With Scope-Based Access Control (SBAC),
Cortex
XDR
enables you to assign users to specific endpoint groups in your organization. By default, all users have management access to all endpoints in the tenant. However, after you (as an administrator) assign a management scope to a
Cortex
XDR
user (non-administrator), the user is then be able to manage only the specific endpoints that are predefined within that scope.
SBAC applies only to the following functional areas in
Cortex
XDR
.
  • Endpoint Administration table
    —View endpoints and take actions on endpoints.
  • Policy Management
    —Create and edit Prevention policies and profiles, Extension policies and profiles, and global and device Exceptions that are within the scope of the user.
  • Action Center
    —View and take actions only on endpoints that are within the scope of the user.
  • Dashboards and Reports
    —Scoping takes place only on agent-related widgets.
Important: The rest of the functional areas and their permissions in
Cortex
XDR
do not support SBAC. Accordingly, if these permissions are granted to a scoped user, the user will be able to access all endpoints in the tenant within this functional area. For example, a scoped user with a permission to view incidents, can view all incidents in the system without limitation to a scope, however will not be able to create an alert or device exception.
Also note that the Agent Installation widget is not available for scoped users.
To define the scope of a user.
  1. Select
    Settings
    Configurations
    Access Management
    Users
    .
    The currently assigned scope of each user is displayed on the
    Endpoint Scope
    column of the
    Users
    table, which lists all registered users.
  2. Select and right-click the user or users to which you want to assign a scope, and then select
    Assign Endpoint Scope
    .
    The Assign Endpoint Scope dialog box appears.
  3. Under Endpoint Groups, select one of the following:
    • Specific groups
      —Select the endpoint groups that you want to assign to the selected user or users. This determines the scope of the user or users.
    • All endpoints
      —Assign all endpoints to the selected user or users, without scoping.
  4. Apply
    .
The users to whom you have scoped particular endpoints are now able to use Cortex XDR only within the scope of their assigned endpoints.
Make sure to assign the required default permissions for scoped users. This depends on the structure and divisions within your organization, and the particular purpose of each organizational unit to which scoped users belong.

Scoped Endpoint Admin

Scoped Endpoint Admin is a predefined recommended role that you can assign to scoped users. This predefined (by Palo Alto Networks) user role has recommended permissions to perform the following actions in
Cortex
XDR
.
  • Views—View options that are available for a Scoped User Admin:
    • Endpoint Administration
      Endpoint Administration
    • Dashboards
      Dashboard View
    • Reports
      Reports View
    • Response
      Action Center
    • Response
      Scripts
  • Actions—Actions that a Scoped User Admin can perform:
    • Endpoint Administration
      File Retrieval
    • Endpoint Administration
      Retrieve Endpoint Data
    • Endpoint Administration
      Endpoint Scan
    • Endpoint Administration
      Change Managing Server
    • Endpoint Administration
      Agent Management Configurations
    • Dashboards
      Dashboard Action
    • Response
      Isolate
    • Response
      Live Terminal
    • Response
      File Search
    • Response
      Destroy Files
    • Response
      Terminate Process
    • Response
      Quarantine
    • Response
      Run Standard Script
    • Response
      Run High-Risk Script
    • Response
      Disable Response Actions
For more information about user roles, see Manage User Roles.

Recommended For You