Manage User Roles

Role-based access control (RBAC) enables you to manage roles or specific permissions, and assign access rights to administrative users. You can manage roles for all Cortex XDR apps and services in the Cortex XDR Gateway or Cortex XDR management console. By assigning roles, you enforce the separation of viewing access and initiating actions among functional or regional areas of your organization.

To create and assign roles, you must have first activated your Cortex XDR tenant and be assigned XDR Account Admin or Instance Administrator role.

The Cortex XDR Permission Management is divided into two sub-categories,

Permissions

and

Roles

.

In the Permissions category, Cortex XDR lists all the users allocated to a specific CSP account and tenant name. The

Permissions

table provides the following fields of information, you can select if to

View By

Users

or

Tenants

:

User Name
—Displays the first and last name of the user and whether the user is a CSP Super User and Account Admin. If the user is allocated to more than one tenant, expand the user name to display the details for each tenant.
Email
—Email address of the user.
Tenant
—Name of the tenant the user has permission to access. Next to the user name, expand ( ) to view the tenant name.
XDR Role
—Name of the role assigned to the user. Next to the user name, expand ( ) to view the role assigned per tenant, if the user does not have any Cortex XDR access permission, the field displays
No-Role
.
Last Login Time
—Last date and time the user accessed the tenant.
Status
—Displays whether the user is
Active
or
Inactive
.

In the Roles category, Cortex XDR lists the Predefined User Roles for Cortex® XDR™ and custom defined roles. Use roles to assign specific view and action access privileges to administrative user accounts. The way you configure administrative access depends on the security requirements of your organization. The built-in roles provide specific access rights that cannot be changed. The roles you create provide more granular access control.

The

Roles

table provides the following fields of information:

Role Name
—Name of the role.
Created By
—Displays one of the following options: the email address of the user who created a custom role or for the predefined roles.

Palo Alto Networks
—Predefined role granting user permissions in all tenants.
<
user email address
> —Custom role created in the gateway granting user permission in all tenants.
<
user email address
> —Custom role created in the Cortex XDR app granting user permission that specific tenant alone.
Tenant
—Name of the tenant the role applies to according to where the role was created; Cortex XDR Gateway or Cortex XDR app.
Description
—Description of the role.
Creation Date
—Date and time when the role was created. The field is available for only a custom role.
Update Date
—Date and time of when the role was last updated. The field is available for only a custom role.

Depending on where you are managing your roles and permissions; Cortex XDR Gateway or Cortex XDR management app, navigate to:
Cortex XDR Gateway
Permission Management
Cortex XDR app
Settings ( )
Configurations
Access Management
Manage your Cortex XDR roles and permissions.
When accessing the
Role
page from the Cortex XDR Gateway, if you are managing more than one CSP account, select the account you want to display the available roles. If you only manage one CSP account or are accessing from the Cortex XDR app, Cortex XDR only displays the roles available on your tenant.
In the
Roles
table, the following options are available to help you manage roles:
Create a custom role based on Cortex XDR Predefined roles.
Locate the predefined role you want base your custom role as, right-click and select
Save As New Role
.
In the
Create Role
window, define a
Role Name
and update the description.
Update the
Views
and
Actions
permissions you want the role to include and
Create
the rule.
Create and save new roles based on the granular permission.
Select
New Role
.
In the
Create Role
window, define a
Role Name
and update the description.
Select the
Views
and
Actions
permissions you want the role to include and
Create
the rule.
Edit role permissions (available for roles you create).
Locate the custom role you want to edit, right-click and select
Edit Role
.
In the
Edit Role
window, update the
Views
and
Actions
permissions you want the role to include and
Edit
the rule.
Assign roles to a Cortex XDR user.
In the
Permissions
page, select the
Account Name
. The following options are available to help you manage permissions. You can assign roles to one or more users at a time:
Assign permissions to a user that does not have a role.
Hover over the user name and select , located to the right of the row, to
Add Permissions
.
In the
Add Permissions
window, select from the list of
Available Tenants
for which you want to grant permissions.
Select a role from either the
Default Roles
or
Custom Roles
you want to assign the user and
Add
the role to the user.
Update permission for users with an exiting role.
Hover over the user name and select , located to the right of the row, to
Update Permissions
.
In the
Update Permissions
window, select a role from either the
Default Roles
or
Custom Roles
you want to assign the user and
Update
the role.
Deactivate a user.
Locate the user you want to deactivate, right-click and select
Deactivate User
.
Note that you cannot deactivate a user that has a CSP Super User or Account Admin role.
Manage User Scope
Assign users to specific endpoint groups in your organization.