End-of-Life (EoL)
Roles in Cortex XSOAR
The default admin is the super user role in XSOAR. Administrator, Analyst,
and Read-Only roles are defined by the read-write level of access
to XSOAR components.
A role is a set of permissions that determine
which actions and resources users within that role are granted access
in Cortex XSOAR. Users are assigned to at least one role, depending
on their required level of access.
You can add as many roles as you require, by clicking
New
.
To create a new role, see define a role. Follow
the same steps when editing a role. When defining a new role, you
can add permissions, SAML and AD Roles, define shift periods and
so on.Cortex XSOAR has the following assigned roles:
Role | Default Permissions |
|---|---|
Administrator | Read/Write permissions for all components and
access to all pages. Default Administrators have the
same permissions as administrators with a few additional permissions
such as view audit log incidents. Default administrators are usually
used for troubleshooting. |
Analyst | Mix of Read and Read/Write permissions for
all components and access to all pages. |
Read-Only | Read permissions for all components and access
to all pages. |
Permissions
You can view and change the following permission levels
as required:
Permission | Description |
|---|---|
None | No access to the specified component. |
Read | Can view but not edit the specified component. |
Read/Write | Can view and edit the specified component. |
Shifts
If you want to manage Shift periods
for users, including who is on call and to whom to assign, you can define a role for
a specific shift period and then assign that shift to a user.
Default Administrator
Default administrators are usually used for troubleshooting,
they are not counted as license users, cannot be deleted, and are
also tenant administrators.
From version 6.5 and above, the default administrator can view
all incidents (including those that are marked as restricted) and
view modifications to restricted incidents in the Audit Trail. To
prevent the default administrator from viewing these restricted
incidents, set the
incident.restrict.default.admin
property
to true
.The following table describes the administrator and default administrator permissions:
Component | Permission |
|---|---|
Users and Roles |
|
API Keys |
|
Incidents |
Default Administrator )
|
Integrations | ( Default Administrator ) Trigger the
integration fetch command. |
Dashboards |
|
Automation | Run all automations. |
Playbooks |
|
Multi-Tenant | View all tenant accounts. |
File Entries | ( Default Administrator ) Delete file
entries from the file system |
Recommended For You
Recommended Videos
Recommended videos not found.
