Question 7 - Palo Alto Networks XSIAM Engineer Real Exam Questions [Jan 2026 Update]

Q: 7

A Cortex XSIAM engineer is implementing role-based access control (RBAC) and scope-based access control (SBAC) for users accessing the Cortex XSIAM tenant with the following requirements: Users managing machines in Europe should be able to manage and control all endpoints and installations, create profiles and policies, view alerts, and initiate Live Terminal, but only for endpoints in the Europe region. Users managing machines in Europe should not be able to create, modify, or delete new or existing user roles. The Europe region endpoints are identified by both of the following: Endpoint Tag = "Europe-Servers" and Endpoint Group = "Europe" for servers in Europe Endpoint Group = "Europe" and Endpoint Tag = "Europe-Workstation" for workstations in Europe Which two sets of implementation actions should the engineer take? (Choose two.)

Options

Correct Answer:

A, D

Explanation

This configuration requires a combination of Role-Based Access Control (RBAC) to define what actions a user can perform, and Scope-Based Access Control (SBAC) to define on which resources they can perform them.

Option A correctly configures SBAC. Setting the mode to "Restrictive" is crucial; it ensures that users have no access to any endpoints by default, and are only granted access to resources explicitly defined in their scope. Assigning the scope EG:Europe correctly limits the user's visibility and actions to only the endpoints within the "Europe" endpoint group.

Option D correctly configures RBAC. The predefined "Privileged IT Admin" role grants the necessary permissions for endpoint management, policy creation, alert viewing, and initiating Live Terminal. Critically, this role does not include permissions to manage users or roles, thereby satisfying the requirement that these users cannot create, modify, or delete roles.

Why Incorrect

B. The "Instance Administrator" role is incorrect as it provides full control over the tenant, including the ability to manage user roles, which is explicitly forbidden by the requirements.

C. "Permissive" SBAC mode is incorrect. In this mode, users would have access to all endpoints by default, violating the strict requirement to limit access only to the Europe region.

References

1. Palo Alto Networks Cortex XSIAM Administrator's Guide: In the section on "Scope-Based Access Control," the guide explains the two modes. It states, "To ensure that users can only access specific endpoint groups, we recommend that you set the mode to Restrictive. Otherwise, in Permissive mode, users will have access to all endpoint groups." This supports the choice of "Restrictive" mode in option A.

2. Palo Alto Networks Cortex XSIAM Administrator's Guide: The "Predefined Roles" table within the "Manage Roles" section details the permissions for each role. It describes the "Instance Administrator" as having "Full control over the tenant," which includes user and role management. It describes the "Privileged IT Admin" role as having permissions for "Endpoint administration, policy management, and response actions," which aligns with the question's requirements and excludes user management. This supports option D and invalidates option B.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE