How can this rule be applied?

Some of the playbooks on the Phantom server should only be executed by members of the admin role.

How can this rule be applied?
A . Add a filter block to al restricted playbooks that Titters for runRole – "Admin”.
B . Add a tag with restricted access to the restricted playbooks.
C . Make sure the Execute Playbook capability is removed from al roles except admin.
D . Place restricted playbooks in a second source repository that has restricted access.

View Answer

Answer: C

Explanation:

The correct answer is C because the best way to restrict the execution of playbooks to members of the admin role is to make sure the Execute Playbook capability is removed from all roles except admin. The Execute Playbook capability is a permission that allows a user to run any playbook on any container. By default, all roles have this capability, but it can be removed or added in the Phantom UI by going to Administration > User Management > Roles. Removing this capability from all roles except admin will ensure that only admin users can execute playbooks. See Splunk SOAR Documentation for more details. To ensure that only members of the admin role can execute specific playbooks on the Phantom server, the most effective approach is to manage role-based access controls (RBAC) directly. By configuring the system to remove the "Execute Playbook" capability from all roles except for the admin role, you can enforce this rule. This method leverages Phantom’s built-in RBAC mechanisms to restrict playbook execution privileges. It is a straightforward and secure way to ensure that only users with the necessary administrative privileges can initiate the execution of sensitive or critical playbooks, thus maintaining operational security and control.