Palo Alto Networks XSIAM Engineer — Question 50

Administrators from Building 3 have been added to Cortex XSIAM to perform limited functions on a subset of endpoints. Custom roles have been created and applied to the administrators to limit their permissions, but their access should also be constrained through the principle of least privilege according to the endpoints they are allowed to manage. All endpoints are part of an endpoint group named "Building3," and some endpoints may also be members of other endpoint groups.
Which technical control will restrict the ability of the administrators to manage endpoints outside of their area of responsibility, while maintaining visibility to Building 3's endpoints?

Answer options

• A. SBAC enabled in Building 3's IP range with the "EG:Building3" tag assigned to each administrator's scope
• B. SBAC enabled in Permissive Mode with the "EG:Building3" tag assigned to each administrator's scope
• C. SBAC enabled in Restrictive Mode with the "EG:Building3" tag assigned to each administrator's scope
• D. SBAC enabled globally with the "EG:Building3" tag assigned to each administrator's scope

Correct answer: C

Explanation

The correct answer is C because enabling SBAC in Restrictive Mode ensures that administrators can only manage endpoints within the 'Building3' group, enforcing the principle of least privilege. Options A and B do not provide the necessary restrictions, as they either apply to a broader IP range or operate in Permissive Mode, which allows more access than required. Option D allows global access, which contradicts the principle of limiting permissions to specific groups.