This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

SBAC limitations: Delegation of full control (profiles and exceptions) for a specific group of endpoints.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SBAC limitations: Delegation of full control (profiles and exceptions) for a specific group of endpoints.

W.MedinaMarquez
L0 Member

‎04-01-2026 05:05 AM

Hello community! I'm looking for the best way to delegate Cortex XDR administration to an IT team within a specific department. The goal is to give them full control over a particular group of endpoints, ensuring strict separation: they shouldn't have visibility into or the ability to manage the endpoints in the main network. The problem: I've been testing Scope-Based Access Control (SBAC) to limit permissions on this group of endpoints. However, I've noticed that under this configuration, the departmental IT team can't create or add exceptions specific to their own devices. I need this team to be able to manage their own exceptions independently, as these shouldn't apply to the rest of the organization, nor should this team be able to modify or view global exceptions. My questions are: SBAC limitations: What are the exact limitations of SBAC regarding the creation and assignment of exceptions and prevention profiles? Is it expected that a user restricted by SBAC cannot manage their own exceptions? Configuration best practices: What combination of Roles (RBAC), Scopes (SBAC), or policy/profile structure should I configure to achieve this level of segregation? I need this team to manage their own profiles and exceptions only for their assigned endpoints, without impacting the global tenant. I appreciate your guidance on how to design this permissions architecture.

0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎04-01-2026 08:04 AM - edited ‎04-01-2026 08:04 AM

Hello @W.MedinaMarquez ,

 

Greetings for the day.

 

To delegate Cortex XDR administration to a specific departmental IT team while maintaining strict segregation, you should utilize Scope-Based Access Control (SBAC) in combination with Custom Roles (RBAC). To ensure departmental admins can manage their own exceptions without impacting the rest of the organization.

 

1. SBAC Limitations Regarding Exceptions and Profiles

While SBAC is designed to restrict visibility and management to specific perimeters, it has the following known limitations regarding exceptions and policy management:

  • Global vs. Scoped Features: Some administrative actions are treated as global permissions to protect tenant integrity. In certain configurations, "Modify" access for security configurations—such as exceptions—defaults to read-only for scoped users if they are not assigned a role that explicitly supports SBAC for those areas.
  • Specific Module Restrictions: Certain exception actions, specifically within Device Control, may require the removal of an administrative scope to function correctly. Support cases indicate that scoped users may be unable to "Add device to permanent exception" unless their scope is broadened, which conflicts with strict segregation requirements.
  • Detection Exceptions (IOC/BIOC): Exception criteria defined for IOC or BIOC rules under the "Detection" menu are often treated as global. Allow lists and blocklists are global and may contain data on endpoints outside of a user's defined scope.
  • Role Capabilities: The predefined "Scoped Endpoint Admin" role has None permissions for "Global Exceptions" by default, which explains why a user with this role cannot create or add exceptions.

 

2. Expected Behavior for Scoped Users:

It is expected that a scoped user can manage exceptions only if their assigned role has "Edit" permissions for the relevant components and the exceptions are within their assigned scope. SBAC applies to:

  • Policy Management: Creating and editing Prevention policies/profiles and global or device exceptions that fall within the user’s defined scope.

How to design this permissions architectureFor further informations,will recommend reaching out to your Account Team, Solution Consultant, or Sales Engineer. They will be able to assist you based on your specific requirements.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 353 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks