Cortex® XDR™ supports the scoping of users to particular
Scope-Based Access Control (SBAC), Cortex XDR enables you to assign
users to specific endpoint groups in your organization. By default,
all users have management access to all endpoints in the tenant.
However, after you (as an administrator) assign a management scope
to a Cortex XDR user, the user is then be able to manage only the
specific endpoints that are predefined within that scope.
applies only to the following functional areas in Cortex XDR:
Endpoint Administration table
—view endpoints and take
actions on endpoints. Policy Management does not support SBAC.
—view and take actions only on endpoints
that are within the scope of the user.
Dashboards and Reports
—scoping takes place only on
The rest of the functional areas and their permissions in Cortex
XDR do not support SBAC. Accordingly, if these permissions are granted
to a scoped user, the user will be able to access all endpoints
in the tenant within this functional area. For example, a scoped
user with a permission to view incidents, can view all incidents
in the system without limitation to a scope.
Also note that
the Agent Installation widget is not available for scoped users.
define the scope of a user:
The currently assigned scope of each user is displayed
column of the Users
table, which lists all registered users.
Select and then right-click the user or users to which
you want to assign a scope, and then select
The Assign Endpoint Scope dialog box appears.
Under Endpoint Groups, select one of the following:
the endpoint groups that you want to assign to the selected user
or users. This determines the scope of the user or users.
—Assign all endpoints
to the selected user or users, without scoping.
The users to whom you have scoped particular endpoints
are now able to use Cortex XDR only within the scope of their assigned
Make sure to assign the required default permissions
for scoped users. This depends on the structure and divisions within
your organization, and the particular purpose of each organizational
unit to which scoped users belong.
Scoped Endpoint Admin
Scoped Endpoint Admin is a predefined recommended role
that you can assign to scoped users. This predefined (by Palo Alto
Networks) user role has recommended permissions to perform the following
actions in Cortex XDR:
Views—View options that are available
for a Scoped User Admin:
Actions—Actions that a Scoped User Admin can perform: