Compliance - Cloud permissions

Abstract

Configure access to Cloud compliance.

Configure access to Cloud compliance, which allows organizations to track adherence against regulatory frameworks (e.g., CIS, NIST, PCI DSS), monitor cloud compliance violations, and manage compliance assessment schedules

Notice

Requires Cloud Posture Security, Cloud Runtime Security, or Cortex XSIAM Premium license.

System-provided (OOTB) standards and controls are immutable. They cannot be edited or deleted by any user, regardless of whether they hold View/Edit permissions

Compliance permissions include Catalog and assessment Profiles, and Reports. Users access Assessment/Reports by going to Posture ManagementCompliance.

Catalog and Assessment Profiles

Controls access to the building blocks of Compliance (Posture ManagementCompliance):

  • Standards Catalog: A library of compliance frameworks (for example, CIS Benchmarks, NIST 800-53, PCI DSS, SOC 2). Standards can be pre-built (OOTB/system) or custom-created.

  • Controls Catalog: The individual security checks and requirements that make up a standard.

  • Assessment profiles: Configurations that define how compliance is assessed.

For more information, see Monitor and track compliance adherence.

Permission

Description

Roles Example

None

No access to the Standards, Controls, or Assessment Profiles pages.

View

The user can navigate to the Standards Catalog, Controls Catalog, and Assessment Profiles pages. They can view the list of standards, browse controls and their details (severity, category, linked rules), and see assessment profile configurations (name, standard, schedule, targets).

  • SOC Tier 1, 2, and 3 Analysts: Should not modify compliance configurations. May need visibility into compliance posture.

  • Threat Hunter: Needs read-only access to compliance data to correlate compliance gaps with threat activity. Should not modify compliance configurations.

View/Edit

The user has full access. In addition to all View capabilities, they can create, edit, and delete custom standards, custom controls, and custom profiles.

Security Engineer: Responsible for defining and maintaining compliance standards, controls, and assessment profiles. Needs full access to configure the compliance framework.

Reports

Reports provide the results and outputs of compliance assessments.

  • Assessment: The live compliance posture view shows the latest evaluation results for each assessment profile, including scores, control status breakdowns, failed controls by severity, and drill-downs into rules, controls, and assets.

  • Reports: Historical compliance reports that have been generated and stored. These can be viewed, exported (PDF/CSV), or deleted.

For more information, see View and manage compliance assessments and reports.

Permission

Description

Roles Example

None

The user cannot access the Assessment or Reports pages. Navigation menu items for these sections are hidden.

View

The user can navigate to the Assessment and Reports pages. They can view the compliance posture dashboard with scores, control status breakdowns, and failed control severity widgets. They can drill down into profile results to see controls, rules, and asset results. They can view historical reports and export reports to PDF or CSV. They cannot delete reports.

  • SOC Tier 1, 2, and 3 Analysts: Need to view/analyze compliance reports and export them for escalation or documentation during triage.

  • Threat Hunter: Needs read-only access to compliance reports to identify compliance gaps that may indicate attack surfaces or ongoing threats.

  • Security Engineer: Needs to review compliance reports to validate that configured standards and controls are producing expected results. Does not typically need to delete reports.

View/Edit

The user has full access. In addition to all View capabilities, they can delete reports.