Roles
The tasks you can perform in Cisco XDR depend on the user role assigned to your Cisco XDR account by the administrator within your organization. The following roles can be assigned to new users in Cisco XDR:
-
Administrator - An administrator focuses on employee productivity and system stability. Users with an Administrator role has access to all the Cisco XDR features and administrative tasks, including invite users and manage user accounts.
-
Incident Responder - An incident responder focuses on finding the proper security data and determines the details of what happened and provide recommendations for future prevention. Users with an Incident Responder role has access to manage incidents, create investigations, and create judgments on observables, perform response actions, and run workflows, but with no access to devices, client management, and administrative tasks.
-
Security Analyst - A security analyst prioritizes risks, remediate vulnerabilities, and proactively avoid attacks. Users with the Security Analyst role has access to manage incidents, create investigations, and create judgments on observables, but with no access to response actions, run workflows, devices, client management, and administrative tasks.
The following table provides a list of tasks each role is able to perform:
| Task | Role | ||
|---|---|---|---|
| Administrator | Incident Responder |
Security Analyst |
|
|
Control Center |
|||
|
View Overview dashboard |
Yes |
Yes |
Yes |
|
Manage custom dashboards |
Yes |
Yes |
Yes |
|
Share dashboards within organization |
Yes |
No |
No |
|
Incidents |
|||
|
View incidents list |
Yes |
Yes |
Yes |
|
View summary of incident in drawer |
Yes |
Yes |
Yes |
|
View incident details |
Yes |
Yes |
Yes |
|
View incident Overview |
Yes |
Yes |
Yes |
|
View incident Detection |
Yes |
Yes |
Yes |
|
Incident Response |
|||
|
Execute |
Yes |
Yes |
No |
|
Add Note |
Yes |
Yes |
Yes |
|
Mark Task Completed |
Yes |
Yes |
Yes |
|
Mark All Tasks Completed |
Yes |
Yes |
No |
|
View Workflow details |
Yes |
Yes |
Yes |
|
View incident Worklog |
Yes |
Yes |
Yes |
|
Add Notes in Worklog |
Yes |
Yes |
Yes |
|
View Audit Log |
Yes |
Yes |
Yes |
|
Investigate |
|||
|
Run an investigation |
Yes |
Yes |
Yes |
|
Intelligence |
|||
|
Create judgments |
Yes |
Yes |
Yes |
|
Create private indicators |
Yes |
Yes |
Yes |
|
View Events |
Yes |
Yes |
Yes |
|
Automate |
|||
|
Run or execute workflows (from any page) |
Yes |
Yes |
No |
|
Exchange |
|
|
|
|
Install workflows |
Yes |
No |
No |
|
View My Exchange |
Yes |
Yes |
Yes |
|
Workflows |
|
|
|
|
View workflows and workflow content |
Yes |
Yes |
Yes |
|
Create workflows |
Yes |
No |
No |
|
Import workflows |
Yes |
No |
No |
|
Export workflows |
Yes |
No |
No |
|
Duplicate workflows |
Yes |
No |
No |
|
View workflow runs |
Yes |
Yes |
Yes |
|
Delete workflows |
Yes |
No |
No |
|
Runs |
|
|
|
|
Manage workflow runs |
Yes |
No |
No |
|
Delete workflow runs |
Yes |
No |
No |
|
Targets |
|
|
|
|
Create targets and target groups |
Yes |
No |
No |
|
View targets and target groups |
Yes |
Yes |
Yes |
|
View Used By information |
Yes |
Yes |
Yes |
|
Account Keys |
|
|
|
|
Create account keys |
Yes |
No |
No |
|
View account keys |
Yes |
Yes |
Yes |
|
Delete account keys |
Yes |
No |
No |
|
View Used By information |
Yes |
Yes |
Yes |
|
Variables |
|
|
|
|
Create variables |
Yes |
No |
No |
|
View variable definitions and Used By information |
Yes |
Yes |
Yes |
|
Triggers |
|
|
|
|
View automation rules list |
Yes |
Yes |
Yes |
|
Create automation rules |
Yes |
No |
No |
|
Delete automation rules |
Yes |
No |
No |
|
View events list, details, and Used By information |
Yes |
Yes |
Yes |
|
Delete events |
Yes |
No |
No |
|
View webhooks list, details, and Used By information |
Yes |
Yes |
Yes |
|
Create webhooks |
Yes |
No |
No |
|
Delete webhooks |
Yes |
No |
No |
|
View calendar list, details, and Used By information |
Yes |
Yes |
Yes |
|
Create calendar |
Yes |
No |
No |
|
View schedule list, details, and Used By information |
Yes |
Yes |
Yes |
|
Delete schedule |
Yes |
No |
No |
|
Tasks |
|
|
|
|
View task list |
Yes |
Yes |
Yes |
|
Approve task, if assigned |
Yes |
Yes |
No |
|
Options |
|
|
|
|
View category list, description, and Used By information |
Yes |
Yes |
Yes |
|
Create category |
Yes |
No |
No |
|
Delete category |
Yes |
No |
No |
|
View Git repositories list, description, and Used By information |
Yes |
Yes |
Yes |
|
Create Git repository |
Yes |
No |
No |
|
Delete Git repository |
Yes |
No |
No |
|
View remotes list, description, and Used By information |
Yes |
Yes |
Yes |
|
Create new remote |
Yes |
No |
No |
|
Delete remote |
Yes |
No |
No |
|
Assets |
|||
|
View devices |
Yes |
Yes |
Yes |
|
Edit device rules |
Yes |
No |
No |
|
Edit labels |
Yes |
No |
No |
|
Edit asset value |
Yes |
No |
No |
|
View sources |
Yes |
Yes |
Yes |
|
Synchronize sources |
Yes |
No |
No |
|
Add sources |
Yes |
No |
No |
|
View users |
Yes |
Yes |
Yes |
|
Client Management |
|||
|
View clients |
Yes |
No |
No |
|
Manage and deploy profiles |
Yes |
No |
No |
|
View audit logs |
Yes |
No |
No |
|
View events |
Yes |
No |
No |
|
Administration |
|||
|
View available and configured integrations |
Yes |
Yes |
Yes |
|
Configure integrations |
Yes |
No |
No |
|
View notifications and configure personal notification settings |
Yes |
Yes |
Yes |
|
Configure system notification settings |
Yes |
No |
No |
|
View playbooks and assignment rules |
Yes |
Yes |
Yes |
|
Manage playbooks and assignment rules |
Yes |
No |
No |
|
View and manage on-premises appliances |
Yes |
No |
No |
|
View and manage API Client credentials |
Yes |
No |
No |
|
Manage user accounts |
Yes |
No |
No |
|
View users within your organization |
Yes |
Yes |
Yes |
|
Ribbon |
Yes |
Yes |
Yes |
|
Response actions in Pivot menu |
Yes |
Yes |
No |
|
User Profile and Help menu options |
Yes |
Yes |
Yes |
For information on changing the role of an existing user, see Users.