Predefined User Roles for Cortex® XDR™

From the hub, you can use predefined roles to easily assign user access to Cortex XDR views and actions.
Role-based access control (RBAC) enables you to use predefined Palo Alto Networks roles to assign access rights to Cortex XDR users. You can manage roles for all Cortex apps and services in the Cortex XDR Gateway and Cortex XDR management console. By assigning roles, you enforce the separation of access among functional or regional areas of your organization.
Each role extends specific privileges to users. The way you configure administrative access depends on the security requirements of your organization. Use roles to assign specific access privileges to administrative user accounts. The Palo Alto roles provide specific access rights that cannot be changed, but can be saved as a new role and edited according to your needs.
The following table describes the Palo Alto Networks predefined roles and the view and action privileges associated with each.
Some features are license-dependent. Accordingly, users may not see a specific feature if the feature is not supported by the license type or if they do not have access based on their assigned role.
Role
View Privileges
Action Privileges
Deployment Admin
Manage and control endpoints and installations, and configure broker VMs.
  • Endpoints
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Global Exceptions
  • Investigation
    • Investigation Query
  • Configurations
    • Auditing
    • Broker Service
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Endpoints
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Change Managing Server
  • Pathfinder Applet
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Configurations
    • Broker Service
  • Dashboards
    • Dashboards
Instance Administrator
Full access to the app instance for which this role is assigned.
The Instance Administrator can also make other users an Instance Administrator for the app instance. If the app has predefined or custom roles, the Instance Administrator can assign those roles to other users.
The Instance Administrator can only assign permissions to the other user from the Cortex XDR Management Console.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Device Control
    • Global Exceptions
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
    • Scripts
  • Configurations
    • Public API
    • Alert Notifications
    • General Configuration
    • Auditing
    • Threat Intelligence
    • EDL Configuration
    • Analytics Management
    • On-demand Analytics
    • Broker Service
    • External Alerts Mapping
    • Pathfinder Applet
    • Pathfinder Data Collection
    • Syslog Collector
    • Log Collections
    • Ingestion Monitoring
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Prevention Rules
  • Assets
    • Network Configuration
  • Response
    • Isolate
    • Live Terminal
    • EDL
    • File Retrieval
    • File Search
    • Destroy Files
    • Terminate Process
    • Quarantine
    • Allow List / Block List
    • Request WildFire Verdict Change
    • Run Standard Script
    • Run High-Risk Script
    • Script Configurations
    • Disable Response Actions
    • Remediation
  • Endpoints
    • Device Control Rules
    • Device Control Exceptions
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Endpoint Policies
    • Global Exceptions
    • Change Managing Server
    • Host Insights
  • Pathfinder Applet
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Configurations
    • Public API
    • Alert Notifications
    • General Configuration
    • Threat Intelligence
    • EDL Configuration
    • On-demand Analytics
    • Broker Service
    • External Alerts Mapping
    • Log Collections
  • Dashboards
    • Dashboards
Investigator
View and triage alerts and incidents.
  • Investigation
    • Alerts
    • Incidents
    • Investigation Query
  • Dashboards
    • Dashboards
  • Reports
    • Reports s
  • Investigation
    • Alerts
    • Incidents
  • Endpoints
    • Endpoint Scan
  • Dashboards
    • Dashboards
Investigation Admin
View and triage alerts and incidents, configure rules, view endpoint profiles and policies, and Analytics management screens.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Device Control
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
  • Configurations
    • EDL Configuration
    • Analytics Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Investigation
    • Alerts
    • Incidents
    • Rules
  • Response
    • EDL
  • Endpoints
    • Device Control Rules
    • Device Control Exceptions
    • Endpoint Scan
    • Host Insights
  • Configurations
    • EDL Configuration
  • Dashboards
    • Dashboards
IT Admin
Manage and control endpoints and installations, configure broker VMs, view endpoint profiles and policies, and view alerts.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Device Control
    • Global Exceptions
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Investigation Query
  • Response
    • Action Center
  • Configurations
    • General Configuration
    • Broker Service
    • Pathfinder Applet
    • Pathfinder Data Collection
    • Log Collections
    • Ingestion Monitoring
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Global Exceptions
    • Host Insights
  • Pathfinder Applet
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Configurations
    • General Configuration
    • Broker Service
    • Log Collections
  • Dashboards
    • Dashboards
Privileged Investigator
View and triage alerts, incidents and rules, and view endpoint profiles and policies, and Analytics management screens.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Device Control
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
  • Configurations
    • EDL Configuration
    • Analytics Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Investigation
    • Alerts
    • Incidents
  • Assets
    • Network Configuration
  • Response
    • EDL
  • Endpoints
    • Endpoint Scan
    • Host Insights
  • Configurations
    • EDL Configuration
  • Dashboards
    • Dashboards
Privileged IT Admin
Manage and control endpoints and installations, configure brokers, create profiles and policies, view alerts, and initiate Live Terminal.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Device Control
    • Global Exceptions
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Investigation Query
  • Response
    • Action Center
    • Scripts
  • Configurations
    • General Configuration
    • Broker Service
    • Pathfinder Applet
    • Pathfinder Data Collection
    • Log Collections
    • Ingestion Monitoring
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Investigation
    • Alerts
    • Incidents
  • Assets
    • Network Configuration
  • Response
    • Live Terminal
    • File Retreival
    • File Search
    • Destroy Files
    • Request WildFire Verdict Change
    • Run Standard Script
    • Run High-Risk Script
    • Script Configurations
    • Remediation
  • Endpoints
    • Device Control Rules
    • Device Control Exceptions
    • Retrieve Endpoint Data
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Global Exceptions
    • Change Managing Server
    • Host Insights
  • Pathfinder Applet
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Configurations
    • General Configuration
    • Broker Service
    • Log Collections
  • Dashboards
    • Dashboard
Privileged Responder
View and triage alerts and incidents, access all response capabilities, and configure rules, policies, and profiles.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Device Control
    • Global Exceptions
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
    • Scripts
  • Configurations
    • General Configuration
    • EDL Configuration
    • Analytics Management
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Investigation
    • Alerts
    • Incidents
    • Rules
  • Assets
    • Network Configuration
  • Response
    • Isolate
    • Live Terminal
    • EDL
    • File Retreival
    • File Search
    • Destroy Files
    • Terminate Process
    • Quarantine
    • Allow List/Block List
    • Request WildFire Verdict Change
    • Run Standard Script
    • Run High-Risk Script
    • Script Configurations
    • Remediation
  • Endpoints
    • Device Control Rules
    • Device Control Exceptions
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Host Insights
  • Pathfinder Applet
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Dashboards
    • Dashboards
Privileged Security Admin
Triage and investigate alerts and incident, respond, and edit profiles and policies.
  • Endpoint
    • Endpoint Policies
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Device Control
    • Global Exceptions
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
    • Scripts
  • Configurations
    • Alert Notifications
    • General Configuration
    • Auditing
    • Threat Intelligence
    • EDL Configuration
    • Analytics Management
    • On-demand Analytics
    • Log Collections
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Prevention Rules
  • Assets
    • Network Configuration
  • Response
    • Isolate
    • Live Terminal
    • EDL
    • File Retreival
    • File Search
    • Destroy Files
    • Terminate Process
    • Quarantine
    • Allow List/Block List
    • Request WildFire Verdict Change
    • Run Standard Script
    • Run High-Risk Script
    • Script Configurations
    • Remediation
  • Endpoints
    • Device Control Rules
    • Device Control Exceptions
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Profiles
    • Endpoint Policies
    • Global Exceptions
    • Host Insights
  • Configurations
    • Alert Notifications
    • General Configuration
    • Threat Intelligence
    • EDL Configuration
    • On-demand Analytics
    • Broker Service
    • Log Collections
  • Dashboards
    • Dashboard
Responder
View and triage alerts, and access all response capabilities excluding Live Terminal.
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Response
    • Isolate
    • EDL
    • Terminate Process
    • Quarantine
    • Allow List/Block List
    • Request WildFire Verdict Change
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
  • Dashboards
    • Dashboards
Scoped Endpoint Admin
Access only to product areas that support endpoint scoped based access control (SBAC) - Endpoint Administration, Action Center, Response, Dashboards and Reports.
  • Endpoints
    • Endpoint Management
  • Response
    • Action Center
    • Scripts
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Response
    • Isolate
    • Live Terminal
    • File Retrieval
    • File Search
    • Destroy Files
    • Terminate Process
    • Quarantine
    • Run Standard Script
    • Run High-Risk Script
    • Disable Response Actions
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Management
    • Change Managing Server
  • Dashboards
    • Dashboards
Security Admin
Triage and investigate alerts and incidents, respond (excluding Live Terminal), and edit profiles and policies.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Device Control
    • Global Exceptions
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
    • Scripts
  • Configurations
    • General Configuration
    • EDL Configuration
    • Analytics Management
    • Log Collections
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Prevention Rules
  • Assets
    • Network Configuration
  • Response
    • Isolate
    • EDL
    • Terminate Process
    • Quarantine
    • Allow List/Block List
    • Request WildFire Verdict Change
  • Endpoints
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Profiles
    • Endpoint Policies
    • Host Insights
  • Configurations
    • General Configuration
    • EDL Configuration
    • Log Collections
  • Dashboards
    • Dashboards
Viewer
View the majority of the features of the Cortex XDR app for this instance.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Device Control
    • Global Exceptions
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
    • Scripts
  • Configurations
    • General Configurations
    • Auditing
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
-
XDR Account Admin
Full access to the given app(s), including all instances added of the app(s) in the future. App Administrator can assign roles for app instances, and it can also activate app instances specific to that app.
  • Endpoints
    • Endpoint Policies
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Device Control
    • Global Exceptions
    • Host Insights
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Investigation Query
  • Response
    • Action Center
    • Scripts
  • Configurations
    • Public API
    • Alert Notifications
    • General Configuration
    • Auditing
    • Threat Intelligence
    • EDL Configuration
    • Analytics Management
    • On-demand Analytics
    • Broker Service
    • External Alert Mapping
    • Pathfinder Applet
    • Pathfinder Data Collection
    • Syslog Collector
    • Log Collections
    • Ingestion Monitoring
  • Assets
    • Asset Management
  • Dashboards
    • Dashboards
  • Reports
    • Reports
  • Investigation
    • Alerts
    • Incidents
    • Rules
    • Prevention Rules
  • Assets
    • Network Configuration
  • Response
    • Isolate
    • Live Terminal
    • EDL
    • File Retrieval
    • File Search
    • Destroy Files
    • Terminate Process
    • Quarantine
    • Allow List/Block List
    • Request WildFire Verdict Change
    • Run Standard Script
    • Run High-Risk Script
    • Script Configurations
    • Disable Response Actions
    • Remediation
  • Endpoints
    • Device Control Rules
    • Device Control Exceptions
    • Retrieve Endpoint Data
    • Endpoint Scan
    • Endpoint Profiles
    • Endpoint Management
    • Endpoint Groups
    • Endpoint Installations
    • Endpoint Policies
    • Global Exceptions
    • Change Managing Server
    • Host Insights
  • Pathfinder Applet
    • Pathfinder Applet
    • Pathfinder Data Collection
  • Configurations
    • Public API
    • Alert Notifications
    • General Configuration
    • Threat Intelligence
    • EDL Configuration
    • On-demand Analytics
    • Broker Service
    • External Alerts Mapping
    • Log Collections Action
  • Dashboards
    • Dashboards

Recommended For You