Manage User Scope

Cortex® XDR™ supports the scoping of users to particular endpoint groups.
With Scope-Based Access Control (SBAC), Cortex XDR enables you to assign users to specific endpoint groups in your organization. By default, all users have management access to all endpoints in the tenant. However, after you (as an administrator) assign a management scope to a Cortex XDR user, the user is then be able to manage only the specific endpoints that are predefined within that scope.
SBAC applies only to the following functional areas in Cortex XDR:
  • Endpoint Administration table
    —view endpoints and take actions on endpoints. Policy Management does not support SBAC.
  • Action Center
    —view and take actions only on endpoints that are within the scope of the user.
  • Dashboards and Reports
    —scoping takes place only on agent-related widgets.
Important: The rest of the functional areas and their permissions in Cortex XDR do not support SBAC. Accordingly, if these permissions are granted to a scoped user, the user will be able to access all endpoints in the tenant within this functional area. For example, a scoped user with a permission to view incidents, can view all incidents in the system without limitation to a scope.
Also note that the Agent Installation widget is not available for scoped users.
To define the scope of a user:
  1. Go to
    Access Management
    The currently assigned scope of each user is displayed on the
    Endpoint Scope
    column of the Users table, which lists all registered users.
  2. Select and then right-click the user or users to which you want to assign a scope, and then select
    Assign Endpoint Scope
    The Assign Endpoint Scope dialog box appears.
  3. Under Endpoint Groups, select one of the following:
    • Specific groups
      —Select the endpoint groups that you want to assign to the selected user or users. This determines the scope of the user or users.
    • All endpoints
      —Assign all endpoints to the selected user or users, without scoping.
  4. Apply
The users to whom you have scoped particular endpoints are now able to use Cortex XDR only within the scope of their assigned endpoints.
Make sure to assign the required default permissions for scoped users. This depends on the structure and divisions within your organization, and the particular purpose of each organizational unit to which scoped users belong.

Scoped Endpoint Admin

Scoped Endpoint Admin is a predefined recommended role that you can assign to scoped users. This predefined (by Palo Alto Networks) user role has recommended permissions to perform the following actions in Cortex XDR:
  • Views—View options that are available for a Scoped User Admin:
    • Endpoint Administration
      Endpoint Administration
    • Dashboards
      Dashboard View
    • Reports
      Reports View
    • Response
      Action Center
    • Response
  • Actions—Actions that a Scoped User Admin can perform:
    • Endpoint Administration
      File Retrieval
    • Endpoint Administration
      Retrieve Endpoint Data
    • Endpoint Administration
      Endpoint Scan
    • Endpoint Administration
      Change Managing Server
    • Endpoint Administration
      Agent Management Configurations
    • Dashboards
      Dashboard Action
    • Response
    • Response
      Live Terminal
    • Response
      File Search
    • Response
      Destroy Files
    • Response
      Terminate Process
    • Response
    • Response
      Run Standard Script
    • Response
      Run High-Risk Script
    • Response
      Disable Response Actions
For more information about user roles, see Manage User Roles.

Recommended For You