An individual Palo Alto Networks firewall that you associate with the Cloud Identity Engine can belong to a Customer Support Portal (CSP) account as well as a Tenant Service Group (TSG). There can be one-to-many relationship between CSP accounts and TSGs. As a result, this means that a single CSP account can have many associated TSGs.

When you use the Cloud Identity Engine's Directory Sync or Cloud Authentication Service, your firewall can view and connect to all tenants associated with your CSP account. To isolate firewalls and ensure a particular firewall is only associated with and can only view specific tenants, you can now configure the Visibility Scope for the Cloud Identity Engine.

When you configure the Visibility Scope, you can configure whether you want each tenant to have CSP visibility or to use TSG visibility. When you configure a tenant to use CSP visibility, that tenant is visible and available to firewalls that are a member of any TSG within the current CSP account. If you configure a tenant for TSG visibility, the tenant is only visible and available to firewalls that are associated with that TSG.

This new capability allows you to view your firewalls and tenants in the way that makes the most sense for your particular type of deployment. By customizing how you view your firewalls and tenants within the Cloud Identity Engine, you can now ensure that only the tenants you want to see and configure are visible and selectable within the Cloud Identity Engine.