Configure the Cloud Identity Engine Visibility Scope

Where Can I Use This?	What Do I Need?
NGFW Prisma Access	The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.

An individual firewall that you associate with the Cloud Identity Engine can belong to a Customer Support Portal (CSP) account as well as a Tenant Service Group (TSG). There is a one-to-many relationship between CSP accounts and TSGs. This means that a single CSP account can have many associated TSGs.

When you use the Cloud Identity Engine's Directory Sync or Cloud Authentication Service, your firewall can view and connect to all tenants associated with your CSP account. To isolate firewalls and ensure a particular firewall is only associated with and can only view specific tenants, you can configure the Visibility Scope.

When you configure the Visibility Scope, you can configure each tenant for CSP visibility or TSG visibility. When you configure a tenant for CSP visibility, that tenant is visible and available to firewalls that are a member of any TSG within that CSP account. If you configure a tenant for TSG visibility, the tenant is only visible and available to firewalls associated with that TSG.

In the diagram above, there are two firewalls (Firewall_1 and Firewall_2), each with a different configuration. Visibility and availability depends on the Visibility Scope for the tenant. In this example, there are two TSGs (TSG_1 and TSG_2) within a single CSP account (CSP_1). Each tenant has its own Cloud Identity Engine instance. Both firewalls are associated with CSP_1.

One of the firewalls is associated with TSG_1 and the other firewall is associated with TSG_2. In this example, the Cloud Identity Engine instance for TSG_1 uses the CSP Visibility Scope and the instance for TSG_2 uses the TSG Visibility Scope. As a result, on Firewall_1, only the instance for TSG_1 is visible. This is because Firewall_1 is associated with TSG_1 and TSG_2's Visibility Scope is configured so that only firewalls associated with TSG_2 can view and select Firewall_2.

Firewall_2 has visibility for both the Cloud Identity Engine instance for TSG_1 and the instance for TSG_2. This is because although Firewall_2 is associated with TSG_2, TSG_1's Visibility Scope is configured for CSP visibility, so any firewall associated with the CSP account can view and select Firewall_1.

1. If you have not already done so, associate your tenant with a device.
2. Log in to the Cloud Identity Engine and select Settings.

3. Select the scope type you want to use for the Cloud Identity Engine.

   • TSG— The Cloud Identity Engine tenant is only visible and available to firewalls associated with the current tenant.
     Due to recent security enhancements, for a Panorama that manages Prisma Access in the same TSG as the Cloud Identity Engine (particularly if the visibility scope is TSG), you must associate your applications so that Panorama can access data from the Cloud Identity Engine.
   • CSP—The tenant is visible and available to firewalls that are a member of any tenant within the current CSP account.

   If you use Panorama to manage Prisma Access in the same tenant service group (TSG) as the Cloud Identity Engine, associate Panorama with the Cloud Identity Engine to ensure that Panorama and Prisma Access can access the Cloud Identity Engine (for more information, refer to User Context, step 1). This a requirement if you select TSG as the Scope Type.

4. Save your changes.