Manage User Roles

Depending on your organization’s user role policy, you can assign and manage the roles and permissions of any particular user of Cortex® XDR™.
Role-based access control (RBAC) enables you to manage roles or specific permissions, and assign access rights to administrative users. You can manage roles for all Cortex XDR apps and services in the Cortex XDR Gateway or Cortex XDR management console. By assigning roles, you enforce the separation of viewing access and initiating actions among functional or regional areas of your organization.
To create and assign roles, you must have first activated your Cortex XDR tenant and be assigned XDR Account Admin or Instance Administrator role.
The Cortex XDR Permission Management is divided into two sub-categories,
Permissions
and
Roles
.
In the Permissions category, Cortex XDR lists all the users allocated to a specific CSP account and tenant name. The
Permissions
table provides the following fields of information, you can select if to
View By
Users
or
Tenants
:
  • User Name
    —Displays the first and last name of the user and whether the user is a CSP Super User and Account Admin. If the user is allocated to more than one tenant, expand the user name to display the details for each tenant.
  • Email
    —Email address of the user.
  • Tenant
    —Name of the tenant the user has permission to access. Next to the user name, expand ( ) to view the tenant name.
  • XDR Role
    —Name of the role assigned to the user. Next to the user name, expand ( ) to view the role assigned per tenant, if the user does not have any Cortex XDR access permission, the field displays
    No-Role
    .
  • Last Login Time
    —Last date and time the user accessed the tenant.
  • Status
    —Displays whether the user is
    Active
    or
    Inactive
    .
In the Roles category, Cortex XDR lists the Predefined User Roles for Cortex® XDR™ and custom defined roles. Use roles to assign specific view and action access privileges to administrative user accounts. The way you configure administrative access depends on the security requirements of your organization. The built-in roles provide specific access rights that cannot be changed. The roles you create provide more granular access control.
The
Roles
table provides the following fields of information:
  • Role Name
    —Name of the role.
  • Created By
    —Displays one of the following options: the email address of the user who created a custom role or for the predefined roles.
    • Palo Alto Networks
      —Predefined role granting user permissions in all tenants.
    • <
      user email address
      > —Custom role created in the gateway granting user permission in all tenants.
    • <
      user email address
      > —Custom role created in the Cortex XDR app granting user permission that specific tenant alone.
  • Tenant
    —Name of the tenant the role applies to according to where the role was created; Cortex XDR Gateway or Cortex XDR app.
  • Description
    —Description of the role.
  • Creation Date
    —Date and time when the role was created. The field is available for only a custom role.
  • Update Date
    —Date and time of when the role was last updated. The field is available for only a custom role.
  1. Depending on where you are managing your roles and permissions; Cortex XDR Gateway or Cortex XDR management app, navigate to:
    • Cortex XDR Gateway
      Permission Management
    • Cortex XDR app
      Settings ( )
      Configurations
      Access Management
  2. Manage your Cortex XDR roles and permissions.
    When accessing the
    Role
    page from the Cortex XDR Gateway, if you are managing more than one CSP account, select the account you want to display the available roles. If you only manage one CSP account or are accessing from the Cortex XDR app, Cortex XDR only displays the roles available on your tenant.
    In the
    Roles
    table, the following options are available to help you manage roles:
    • Create a custom role based on Cortex XDR Predefined roles.
      1. Locate the predefined role you want base your custom role as, right-click and select
        Save As New Role
        .
      2. In the
        Create Role
        window, define a
        Role Name
        and update the description.
      3. Update the
        Views
        and
        Actions
        permissions you want the role to include and
        Create
        the rule.
    • Create and save new roles based on the granular permission.
      1. Select
        New Role
        .
      2. In the
        Create Role
        window, define a
        Role Name
        and update the description.
      3. Select the
        Views
        and
        Actions
        permissions you want the role to include and
        Create
        the rule.
    • Edit role permissions (available for roles you create).
      1. Locate the custom role you want to edit, right-click and select
        Edit Role
        .
      2. In the
        Edit Role
        window, update the
        Views
        and
        Actions
        permissions you want the role to include and
        Edit
        the rule.
  3. Assign roles to a Cortex XDR user.
    In the
    Permissions
    page, select the
    Account Name
    . The following options are available to help you manage permissions. You can assign roles to one or more users at a time:
    • Assign permissions to a user that does not have a role.
      1. Hover over the user name and select , located to the right of the row, to
        Add Permissions
        .
      2. In the
        Add Permissions
        window, select from the list of
        Available Tenants
        for which you want to grant permissions.
      3. Select a role from either the
        Default Roles
        or
        Custom Roles
        you want to assign the user and
        Add
        the role to the user.
    • Update permission for users with an exiting role.
      1. Hover over the user name and select , located to the right of the row, to
        Update Permissions
        .
      2. In the
        Update Permissions
        window, select a role from either the
        Default Roles
        or
        Custom Roles
        you want to assign the user and
        Update
        the role.
    • Deactivate a user.
      Locate the user you want to deactivate, right-click and select
      Deactivate User
      .
      Note that you cannot deactivate a user that has a CSP Super User or Account Admin role.

Recommended For You