The correct answer is C because the best way to restrict the execution of playbooks to members of
the admin role is to make sure the Execute Playbook capability is removed from all roles except
admin. The Execute Playbook capability is a permission that allows a user to run any playbook on any
container. By default, all roles have this capability, but it can be removed or added in the Phantom UI
by going to Administration > User Management > Roles. Removing this capability from all roles
except admin will ensure that only admin users can execute playbooks. See Splunk SOAR
Documentation for more details. To ensure that only members of the admin role can execute specific
playbooks on the Phantom server, the most effective approach is to manage role-based access
controls (RBAC) directly. By configuring the system to remove the "Execute Playbook" capability from
all roles except for the admin role, you can enforce this rule. This method leverages Phantom's built-
in RBAC mechanisms to restrict playbook execution privileges. It is a straightforward and secure way
to ensure that only users with the necessary administrative privileges can initiate the execution of
sensitive or critical playbooks, thus maintaining operational security and control.
