Manage Cloud Identity Engine App Roles

To configure a role:
  1. Select
    Hub
    Settings
    Access Management
    .
  2. Select a user and click
    Assign Roles
    .
  3. Select
    Account
    , then select the role type.
  4. To grant access to a specific instance, select
    Cloud Identity Engine
    , then select the role type for that instance.
Role
Description
Privileges
Predefined App Roles for Cloud Identity Engine
Deployment Admin
(
Cloud Identity Engine only
)
Has limited access to the app instance for which this role is assigned. Can perform basic functional tasks within the Cloud Identity Engine app, such as adding or removing directories and customizing attributes. Can view the number of objects within the directory but cannot view detailed information for the directory objects.
  • Can activate or deactivate instances for assigned app.
  • Can add or remove directories.
  • Can download agents and certificates (
    on-premises directories only
    ).
  • Can revoke certificates (
    on-premises directories only
    ).
  • Can view agent configuration (
    on-premises directories only
    ).
  • Can customize attributes.
  • Can reconnect directories.
  • Can sync data instantly or configure a sync schedule.
  • Can view a summary (object count) of the directory data.
  • Can configure an Identity Provider (IdP) profile.
Common Cloud Identity Engine Roles
Instance Administrator
Can access the app instance for which this role is assigned and view information on the data that the Cloud Identity Engine collects from the directory. If the app has predefined app roles, the instance administrator can assign those roles to other users. The instance administrator can also make other users instance administrators for that app instance. Finally, the instance administrator can deactivate the app instance. Instance administrators cannot be assigned app-specific roles for the app instance because they already have full role access to the instance.
  • Has all privileges associated with the Deployment Admin role, in addition to the following:
  • Full access to the Cloud Identity Engine instance where the user is an Instance Administrator.
  • Can view details for directory data.
  • Can assign Instance Administrator and Deployment Admin roles for assigned instances to other users.
App Administrator
Can assign roles specific to an app, make other users app or instance administrators, and assign other users any predefined roles. App administrators cannot be assigned predefined roles to specific instances of the app because they already have full role access to all app instances.
  • Has all privileges associated with the Instance Administrator role, in addition to the following:
  • Can assign App Administrator, Instance Administrator, and Deployment Admin roles for assigned app to other users.
Account Administrator
Can assign roles for any app in your organization and access all app instances installed for the account.The account administrator is usually the first user from your organization to register on the Palo Alto Networks Customer Support Portal. However, other accounts can be assigned to this role (
Settings
Access Management
Roles
Account
). There is no limit to the number of accounts to which you can assign this or any other role. Account administrators cannot be assigned roles for apps because they already have full role access to everything.
  • Has all privileges associated with the App Administrator role, in addition to the following:
  • Can assign Account Administrator, App Administrator, Instance Administrator, and Deployment Admin roles to other users.

Recommended For You