Limit Access to Investigations using RBAC

Limit access to investigations using Role-based Access Control in Cortex XSOAR. Assign a specific role to an incident or assign a role with read only permission.
You can limit access to the investigations using RBAC by either assigning a specific role to the incident (read and write access to the investigation) or by assigning a role with read only permission. This procedure uses the
incident_set
command to limit investigation permissions but you can also add the
Role
and
XSOAR Read Only
rules fields to the Incident Summary page when customizing incident layouts. You can also add these columns to the Incidents table in the Incidents page.
  1. In the
    Incident
    page, select the incident you want to restrict access.
  2. Restrict the incident to a role.
    1. In the CLI, type the following command:
      /incident_set roles=
      <select role>
    2. To check that the role was assigned to the incident, click the
      War Room
      tab.
  3. Restrict the incident to a read-only role.
    1. In the CLI, type the following command:
      incident_set xsoarReadOnlyRoles=
      <select role>
    2. To check that the role was assigned to the incident, click the
      War Room
      tab.
  4. (
    Optional
    ) For automations:
    • Use the
      setIncident
      command in a playbook.
    • Specify the roles that you want to have access to the incident investigation.

Recommended For You