Predefined User Roles for Cortex XDR

Role-based access control (RBAC) enables you to use preconfigured roles to assign access rights to administrative users. You can manage roles for all Cortex apps and services in the hub. By assigning roles, you enforce the separation of access among functional or regional areas of your organization.
Each role extends specific privileges to users. The way you configure administrative access depends on the security requirements of your organization. Use roles to assign specific access privileges to administrative user accounts. The built-in roles provide specific access rights that cannot be changed. Use hub roles to provide full access to Cortex XDR with three levels: Account, App, or Instance. If you desire more granular access control, you can assign any of the Cortex XDR app roles.
The following table describes the Cortex XDR predefined roles and the view and action privileges associated with each.
Some features are license dependent. As a result users may not see a specific feature if the feature is not supported by the license type or if they do not have access based on their assigned role.
Role
Description
View Privileges
Action Privileges
App Administrator
The user has full access to the given apps, including all current and future app instances. App Administrator can assign roles for app instances, and can also activate app instances specific to that app.
Requires a Cortex XDR license.
  • Endpoints
    • Endpoint Profiles
    • Global Exceptions
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
    • Vulnerability Assessment
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Analytics Management
    • Public API
    • Auditing
    • Alert Notifications
    • Threat Intelligence
    • On-demand Analytics
    • External Alerts Mapping
    • Saas Log Collection
    • Broker Services
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Quarantine
    • Request WildFire Verdict Change
    • Blacklist
    • Terminate Process
    • Isolate
    • Live Terminal
    • EDL
    • File Retrieval
    • Remediation Suggestions
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Profiles
    • Global Exceptions
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
  • Vulnerability Assessment
Instance Administrator
The user has full access to the app instance. The Instance Administrator can make other users Instance Administrator for the app instance. If the app has predefined or custom roles, the Instance Administrator can assign those roles to other users.
  • Endpoints
    • Endpoint Profiles
    • Global Exceptions
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
    • Vulnerability Assessment
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Analytics Management
    • Public API
    • Auditing
    • Alert Notifications
    • Threat Intelligence
    • On-demand Analytics
    • External Alerts Mapping
    • Broker Services
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Quarantine
    • Request WildFire Verdict Change
    • Blacklist
    • Terminate Process
    • Isolate
    • Live Terminal
    • EDL
    • File Retrieval
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Profiles
    • Global Exceptions
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
    • Vulnerability Assessment
Viewer
Can view the majority of the features of the XDR app for this instance, but can take no actions.
Requires a Cortex XDR license.
  • Endpoints
    • Endpoint Profiles
    • Global Exceptions
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
    • Vulnerability Assessment
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Auditing
  • Endpoints
    • Vulnerability Assessment
Security Admin
Can triage and investigate alerts and incidents, respond (excluding Live Terminal), and edit profiles and policies.
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
  • Endpoints
    • Endpoint Profiles
    • Global Exceptions
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
    • Vulnerability Assessment
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Analytics Management
    • Saas Log Collection
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Quarantine
    • Request WildFire Verdict Change
    • Blacklist
    • Terminate Process
    • Isolate
    • EDL
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Profiles
    • Endpoint Policies
Privileged Security Admin
Can triage and investigate alerts and incident, respond, and edit profiles and policies.
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
  • Endpoints
    • Endpoint Profiles
    • Global Exceptions
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
    • Vulnerability Assessment
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Analytics Management
    • Auditing
    • Alert Notifications
    • Threat Intelligence
    • On-demand Analytics
    • SaaS Log Collection
    • Broker Services
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Quarantine
    • Request WildFire Verdict Change
    • Blacklist
    • Terminate Process
    • Isolate
    • Live Terminal
    • EDL
    • File Retrieval
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Profiles
    • Endpoint Policies
    • Device Control
    • Vulnerability Assessment
IT Admin
Can manage and control endpoints and installations, configure brokers, view profiles, policies, and alerts.
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
  • Endpoints
    • Endpoint Profiles
    • Global Exceptions
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
    • Vulnerability Assessment
  • Investigation
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Saas Log Collection
    • Broker Services
  • Endpoints
    • Retrieve Endpoint Data
    • Global Exceptions
    • Endpoint Management
    • Endpoint Installations
Privileged IT Admin
Can manage and control endpoints and installations, configure brokers, create profiles and policies, view alerts, and initiate Live Terminal.
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
  • Endpoints
    • Endpoint Profiles
    • Endpoint Policies
    • Endpoint Management
    • Endpoint Installations
    • Device Control
  • Investigation
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Saas Log Collection
    • Broker Services
  • Investigation
    • Incidents
    • Alerts
  • Response
    • Request WildFire Verdict Change
    • Live Terminal
    • File Retrieval
  • Endpoints
    • Retrieve Endpoint Data
    • Global Exceptions
    • Endpoint Management
    • Endpoint Installations
    • Device Control
    • Vulnerability Assessment
Deployment Admin
Can manage and control endpoints and installations, and configure brokers.
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
  • Endpoints
    • Global Exceptions
    • Endpoint Management
    • Endpoint Installations
  • Configurations
    • Auditing
    • Broker Services
  • Endpoints
    • Endpoint Management
    • Endpoint Installations
Investigation Admin
Can view and triage alerts and incidents, configure rules, and view the profiles and policies and analytics management screens.
Requires a Cortex XDR license.
  • Endpoints
    • Endpoint Profiles
    • Endpoint Policies
    • Device Control
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Analytics Management
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Device Control
    • Vulnerability Assessment
Investigator
Can view and triage alerts and incidents.
Requires a Cortex XDR license.
  • Investigation
    • Incidents
    • Alerts
  • Investigation
    • Incidents
    • Alerts
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
Privileged Investigator
Can view and triage alerts, incidents and rules, profiles and policies and analytics management screens.
Requires a Cortex XDR Pro per Endpoint license.
  • Endpoints
    • Endpoint Profiles
    • Endpoint Policies
    • Device Control
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Analytics Management
  • Investigation
    • Incidents
    • Alerts
  • Endpoints
    • Endpoint Scan
Responder
Can view and triage alerts, and access all response capabilities excluding Live Terminal.
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Response
    • Quarantine
    • Request WildFire Verdict Change
    • Blacklist
    • Terminate Process
    • Isolate
    • EDL
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
Privileged Responder
Can view and triage alerts and incidents, access all response capabilities, and configure rules, policies, and profiles.
Requires a Cortex XDR license.
  • Endpoints
    • Endpoint Profiles
    • Endpoint Policies
    • Endpoint Management
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Action Center
  • Configurations
    • Analytics Management
  • Investigation
    • Rules
    • Incidents
    • Alerts
  • Response
    • Quarantine
    • Request WildFire Verdict Change
    • Blacklist
    • Terminate Process
    • Isolate
    • Live Terminal
    • EDL
    • File Retrieval
    • Remediation Suggestions
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Device Control

Recommended For You