Permission Management

Cortex XDR enables you to manage roles and permissions for a single tenant or a number of tenants at the same time using the Permission Management console.
You can manage roles and permissions for a single tenant or a number of tenants at the same time using the
Cortex
XDR
Permission Management
console, which is accessible via the Cortex Gateway. The
Permission Management
console is used for first time activations. To create and assign roles, you must first activate your
Cortex
XDR
tenant and be assigned a XDR Account Admin role in the
Cortex
Gateway.
The
Permission Management
console is divided into two subcategories,
Permissions
and
Roles
, which you can view on separate pages.
In the
Permissions
page,
Cortex
XDR
lists all the users allocated to a specific Customer Support Portal (CSP) account and tenant name. If a user is not listed, ensure that the user is added in the Customer Support Portal. The
Permissions
table provides different fields of information as detailed below. You can select whether to
Show User Subset
to display only the users who are not designated as a
Hidden
user (default). For example, this is useful when you have users, who are not related to
Cortex
XDR
and will not be designated with a
Cortex
XDR
role, such as CSP Super Users, and you want to hide them from the list. You can also select whether to
View By
Users
(default) or
Tenants
.
Groups
and
Group Roles
can only be configured in
Cortex
XDR
in the
Settings
Configurations
Access Management
User Groups
page. For more information, see Manage User Groups.
  • User Name
    —Displays the first and last name of the user and whether the user is a CSP Super User and Account Admin. If the user is allocated to more than one tenant, expand the user name to display the details for each tenant.
  • Email
    —Email address of the user.
  • Tenant
    —Name of the tenant the user has permission to access. Next to the user name, expand ( ) to view the tenant name.
  • User Type
    —Indicates whether the user was defined in
    Cortex
    XDR
    using the
    CSP
    (Customer Support Portal),
    SSO
    (single sign-on) using your organization’s IdP, or both
    CSP/SSO
    .
    For more information on enabling SSO in
    Cortex
    XDR
    , see Manage Single Sign-On.
  • Direct XDR Role
    —Name of the role assigned specifically to the user that is not inherited from somewhere else, such as a User Group. Next to the user name, expand ( ) to view the role assigned per tenant, if the user does not have any
    Cortex
    XDR
    access permission that are assigned specifically to them, the field displays
    No-Role
    .
  • Groups
    —Lists the groups that a user belongs to, where any group imported from Active Directory has the letters
    AD
    added beside the group name.
  • Group Roles
    —Lists the different group roles based on the groups the user belongs to. When you hover over the group role, the group associated with this role is displayed.
  • Last Login Time
    —Last date and time the user accessed the tenant.
  • Status
    —Displays whether the user is
    Active
    or
    Inactive
    .
In the
Roles
page,
Cortex
XDR
lists the Predefined User Roles for Cortex XDR and custom defined roles. Use roles to assign specific view and action access privileges to administrative user accounts. The way you configure administrative access depends on the security requirements of your organization. The built-in roles provide specific access rights that cannot be changed. The roles you create provide more granular access control.
The
Roles
table provides the following fields of information.
  • Role Name
    —Name of the role.
  • Created By
    —Displays one of the following options depending on whether the role is a custom role created by a user or a predefined role.
    • Palo Alto Networks
      —Predefined role granting user permissions in all tenants.
    • <
      user email address
      > —Custom role created in the
      Cortex
      Gateway granting user permission in all tenants.
    • <
      user email address
      > —Custom role created in the
      Cortex
      XDR
      app granting user permission that specific tenant alone.
  • Tenant
    —Name of the tenant the role applies to according to where the role was created;
    Cortex
    Gateway or
    Cortex
    XDR
    app.
  • Description
    —Description of the role.
  • Creation Time
    —Date and time when the role was created. The field is available for only a custom role.
  • Modification Time
    —Date and time of when the role was last updated. The field is available for only a custom role.
  1. Select
    Tenant Navigator
    Cortex Gateway
    Permission Management
    .
  2. Manage your
    Cortex
    XDR
    roles and permissions.
    If you are managing more than one CSP account, select the account you want to display the available roles. If you only manage one CSP account,
    Cortex
    XDR
    only displays the roles available on your tenant.
    In the
    Roles
    table, the following options are available to help you manage roles.
    • Create a custom role based on Cortex XDR Predefined roles.
      1. Locate the predefined role that you want to base your custom role on, right-click and select
        Save As New Role
        .
      2. In the
        Create Role
        window, specify a
        Role Name
        and update the
        Description
        .
      3. Update the
        Views
        and
        Actions
        permissions you want the role to include and
        Create
        the role.
    • Create and save new roles based on the granular permission.
      1. Select
        New Role
        .
      2. In the
        Create Role
        window, specify a
        Role Name
        and
        Description
        .
      3. Select the
        Views
        and
        Actions
        permissions you want the role to include and
        Create
        the role.
    • Edit role permissions (only available for roles you create).
      1. Locate the custom role you want to edit, right-click and select
        Edit Role
        .
      2. In the
        Edit Role
        window, update the
        Views
        and
        Actions
        permissions you want the role to include and
        Edit
        the role.
  3. Assign roles to a
    Cortex
    XDR
    user.
    In the
    Permissions
    page, select the
    Account Name
    . The following options are available to help you manage permissions. You can assign roles to one or more users at a time.
    • Assign permissions to a user that does not have a role.
      1. Hover over the user name and select , located to the right of the row, to
        Add Permissions
        .
      2. In the
        Add Permissions
        window, select from the list of
        Available Tenants
        for which you want to grant permissions.
      3. Select a role from either the
        Default Roles
        or
        Custom Roles
        you want to assign the user and
        Add
        the role to the user.
    • Update permission for users with an exiting role.
      1. Hover over the user name and select , located to the right of the row, to
        Update Permissions
        .
      2. In the
        Update Permissions
        window, select a role from either the
        Default Roles
        or
        Custom Roles
        you want to assign the user and
        Update
        the role.
    • Deactivate a user.
      Locate the user you want to deactivate, right-click, and select
      Deactivate User
      .
      You cannot deactivate a user that has an Account Admin role.
    • Designate a user as hidden.
      Locate the user you want to hide, right-click, and select
      Hide User
      . When a user is designated as hidden, the user will no longer be displayed in the
      Permissions
      table when the table is configured to
      Show User Subset
      (default configuration).

Recommended For You