https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sbac-limitations-delegation-of-full-control-profiles-and/m-p/1251356#M9229 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1631501771">@W.MedinaMarquez</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P data-end="442" data-start="0">To delegate Cortex XDR administration to a specific departmental IT team while maintaining strict segregation, you should utilize Scope-Based Access Control (SBAC) in combination with Custom Roles (RBAC). To ensure departmental admins can manage their own exceptions without impacting the rest of the organization.</P> <P data-end="442" data-start="0">&nbsp;</P> <H4 data-end="503" data-start="444" data-section-id="1bzj0g1">1. SBAC Limitations Regarding Exceptions and Profiles</H4> <P data-end="671" data-start="504">While SBAC is designed to restrict visibility and management to specific perimeters, it has the following known limitations regarding exceptions and policy management:</P> <UL data-end="1821" data-start="673"> <LI data-end="1007" data-start="673" data-section-id="1cn0lgb"><STRONG data-end="706" data-start="675">Global vs. Scoped Features:</STRONG> Some administrative actions are treated as global permissions to protect tenant integrity. In certain configurations, "Modify" access for security configurations—such as exceptions—defaults to read-only for scoped users if they are not assigned a role that explicitly supports SBAC for those areas.</LI> <LI data-end="1364" data-start="1009" data-section-id="zcxy6a">Specific Module Restrictions: Certain exception actions, specifically within Device Control, may require the removal of an administrative scope to function correctly. Support cases indicate that scoped users may be unable to "Add device to permanent exception" unless their scope is broadened, which conflicts with strict segregation requirements.</LI> <LI data-end="1618" data-start="1366" data-section-id="7zyzio">Detection Exceptions (IOC/BIOC): Exception criteria defined for IOC or BIOC rules under the "Detection" menu are often treated as global. Allow lists and blocklists are global and may contain data on endpoints outside of a user's defined scope.</LI> <LI data-end="1821" data-start="1620" data-section-id="185jdzx">Role Capabilities: The predefined "Scoped Endpoint Admin" role has None permissions for "Global Exceptions" by default, which explains why a user with this role cannot create or add exceptions.</LI> </UL> <H4 data-end="1871" data-start="1828" data-section-id="1a55qpr">&nbsp;</H4> <H4 data-end="1871" data-start="1828" data-section-id="1a55qpr">2. Expected Behavior for Scoped Users:</H4> <P data-end="2075" data-start="1872">It is expected that a scoped user can manage exceptions only if their assigned role has "Edit" permissions for the relevant components and the exceptions are within their assigned scope. SBAC applies to:</P> <UL data-is-only-node="" data-is-last-node="" data-end="2226" data-start="2077"> <LI data-is-last-node="" data-end="2226" data-start="2077" data-section-id="ej0vh">Policy Management: Creating and editing Prevention policies/profiles and global or device exceptions that fall within the user’s defined scope.</LI> </UL> <DIV id="bodyDisplay" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"><STRONG>How to design this permissions architecture</STRONG> -&nbsp;</SPAN></SPAN><SPAN>For further informations,will recommend&nbsp;</SPAN><SPAN class="il">reaching</SPAN><SPAN>&nbsp;out to&nbsp;</SPAN><SPAN class="il">your Account Team</SPAN><SPAN>, Solution Consultant, or Sales Engineer. They will be able to assist you based on&nbsp;</SPAN><SPAN class="il">your</SPAN><SPAN>&nbsp;specific requirements.</SPAN></P> </DIV> </DIV> <P>If you feel this has answered your query, please let us know by clicking <STRONG>like</STRONG> and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 01 Apr 2026 15:04:51 GMT susekar 2026-04-01T15:04:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sbac-limitations-delegation-of-full-control-profiles-and/m-p/1251347#M9228 <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">Hello community!</SPAN></SPAN><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"> I'm looking for the best way to delegate Cortex XDR administration to an IT team within a specific department.</SPAN></SPAN> <SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">The goal is to give them full control over a particular group of endpoints, ensuring strict separation: they shouldn't have visibility into or the ability to manage the endpoints in the main network.</SPAN></SPAN><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"> The problem: I've been testing Scope-Based Access Control (SBAC) to limit permissions on this group of endpoints.</SPAN></SPAN> <SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">However, I've noticed that under this configuration, the departmental IT team can't create or add exceptions specific to their own devices.</SPAN></SPAN><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"> I need this team to be able to manage their own exceptions independently, as these shouldn't apply to the rest of the organization, nor should this team be able to modify or view global exceptions.</SPAN></SPAN><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"> My questions are: SBAC limitations: What are the exact limitations of SBAC regarding the creation and assignment of exceptions and prevention profiles?</SPAN></SPAN> <SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">Is it expected that a user restricted by SBAC cannot manage their own exceptions?</SPAN></SPAN><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"> Configuration best practices: What combination of Roles (RBAC), Scopes (SBAC), or policy/profile structure should I configure to achieve this level of segregation?</SPAN></SPAN> <SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">I need this team to manage their own profiles and exceptions only for their assigned endpoints, without impacting the global tenant.</SPAN></SPAN><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"> I appreciate your guidance on how to design this permissions architecture.</SPAN></SPAN></P> Wed, 01 Apr 2026 12:05:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sbac-limitations-delegation-of-full-control-profiles-and/m-p/1251347#M9228 W.MedinaMarquez 2026-04-01T12:05:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sbac-limitations-delegation-of-full-control-profiles-and/m-p/1251356#M9229 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1631501771">@W.MedinaMarquez</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P data-end="442" data-start="0">To delegate Cortex XDR administration to a specific departmental IT team while maintaining strict segregation, you should utilize Scope-Based Access Control (SBAC) in combination with Custom Roles (RBAC). To ensure departmental admins can manage their own exceptions without impacting the rest of the organization.</P> <P data-end="442" data-start="0">&nbsp;</P> <H4 data-end="503" data-start="444" data-section-id="1bzj0g1">1. SBAC Limitations Regarding Exceptions and Profiles</H4> <P data-end="671" data-start="504">While SBAC is designed to restrict visibility and management to specific perimeters, it has the following known limitations regarding exceptions and policy management:</P> <UL data-end="1821" data-start="673"> <LI data-end="1007" data-start="673" data-section-id="1cn0lgb"><STRONG data-end="706" data-start="675">Global vs. Scoped Features:</STRONG> Some administrative actions are treated as global permissions to protect tenant integrity. In certain configurations, "Modify" access for security configurations—such as exceptions—defaults to read-only for scoped users if they are not assigned a role that explicitly supports SBAC for those areas.</LI> <LI data-end="1364" data-start="1009" data-section-id="zcxy6a">Specific Module Restrictions: Certain exception actions, specifically within Device Control, may require the removal of an administrative scope to function correctly. Support cases indicate that scoped users may be unable to "Add device to permanent exception" unless their scope is broadened, which conflicts with strict segregation requirements.</LI> <LI data-end="1618" data-start="1366" data-section-id="7zyzio">Detection Exceptions (IOC/BIOC): Exception criteria defined for IOC or BIOC rules under the "Detection" menu are often treated as global. Allow lists and blocklists are global and may contain data on endpoints outside of a user's defined scope.</LI> <LI data-end="1821" data-start="1620" data-section-id="185jdzx">Role Capabilities: The predefined "Scoped Endpoint Admin" role has None permissions for "Global Exceptions" by default, which explains why a user with this role cannot create or add exceptions.</LI> </UL> <H4 data-end="1871" data-start="1828" data-section-id="1a55qpr">&nbsp;</H4> <H4 data-end="1871" data-start="1828" data-section-id="1a55qpr">2. Expected Behavior for Scoped Users:</H4> <P data-end="2075" data-start="1872">It is expected that a scoped user can manage exceptions only if their assigned role has "Edit" permissions for the relevant components and the exceptions are within their assigned scope. SBAC applies to:</P> <UL data-is-only-node="" data-is-last-node="" data-end="2226" data-start="2077"> <LI data-is-last-node="" data-end="2226" data-start="2077" data-section-id="ej0vh">Policy Management: Creating and editing Prevention policies/profiles and global or device exceptions that fall within the user’s defined scope.</LI> </UL> <DIV id="bodyDisplay" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb"><STRONG>How to design this permissions architecture</STRONG> -&nbsp;</SPAN></SPAN><SPAN>For further informations,will recommend&nbsp;</SPAN><SPAN class="il">reaching</SPAN><SPAN>&nbsp;out to&nbsp;</SPAN><SPAN class="il">your Account Team</SPAN><SPAN>, Solution Consultant, or Sales Engineer. They will be able to assist you based on&nbsp;</SPAN><SPAN class="il">your</SPAN><SPAN>&nbsp;specific requirements.</SPAN></P> </DIV> </DIV> <P>If you feel this has answered your query, please let us know by clicking <STRONG>like</STRONG> and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 01 Apr 2026 15:04:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sbac-limitations-delegation-of-full-control-profiles-and/m-p/1251356#M9229 susekar 2026-04-01T15:04:51Z