Configure scope management to enforce role-based access control for
Strata Cloud Manager
Where Can I Use
What Do I Need?
Strata Cloud Manager
At least one of these licenses:
AIOps for NGFW Premium
Role-based access control (RBAC) enables you to define the privileges and
responsibilities of administrative users (administrators). Every administrator must
have a user account that specifies a role and authentication method. Prisma Access
Cloud Management implements custom RBAC, to enable you to manage roles or specific
permissions, and assign access rights to administrative users. Using RBAC, you can
manage users and their access to various resources within Cloud Management.
A user on Prisma Access is someone who has been assigned administrative
privileges, and a role defines the type of access that the administrator has on
the service. When you assign a role, you specify the permission group and the
account groups that the administrator can manage. The hub has the following
permission groups built-in for administrators using Prisma Access.
— Has full access to the given app, including
all instances added to the app in the future. App Administrators can
assign roles for app instances, and they can also activate app instances
specific to that app.
— Has full access to the app instance for
which this role is assigned. The Instance Administrator can also make
other users an Instance Administrator for the app instance. If the app
has predefined or custom roles, the Instance Administrator can assign
those roles to other users.
— Can view all config elements, logs, and settings.
Super Readers can’t make changes to other settings.
— Can view and manage logs and log settings only.
Audit Admins can’t make changes to other settings.
— Can view logs, and manage cryptographic settings
such as IKE, IPSec, master key management, and certificate
configuration. Crypto Admins can’t view or make changes to other
— Can view logs and manage all settings except the
cryptographic settings that are available to the Crypto Admin role.
Web Security Admin
— Can view configuration elements related to
Web Security only.
Data Loss Prevention Admin
—Can access Enterprise DLP settings but
cannot push configuration changes to Prisma Access.
Data Security Admin
—Can access Enterprise DLP and SaaS Security
controls, but cannot push configuration changes to Prisma Access.
—Can access SaaS Security settings but cannot push
configuration changes to Prisma Access.
Custom Role-Based Access Control — Setup
Here’s how to use a predefined role or create a custom role, assign a role to a
user, and manage the user scope when you access the Prisma Access
If you require more granular access control than the predefined roles provide, you
can add custom roles to define which permissions are enforced for your
users. Similar to predefined roles, custom roles are a set of
permissions and permission sets. Unlike predefined roles, each custom
role is assignable only to the users in the hierarchy under the Tenant Service Group (TSG)
where it is defined. This avoids name conflicts between similarly named
custom roles defined by different customers.
If you add a custom role at the top level (parent level) of the
hierarchy, that role is assigned to the tenants nested below so that the
parent tenant can manage the child tenants.
Prisma Access Cloud Management enables you (as an administrator) to
assign a management scope to a cloud management user (non-administrator)
to associate permissions based on scopes such as folders and
The permissions are actions that are allowed in the system. Permissions
represent a specific set of application programming interface (API)
calls that you use to read, write, and delete objects within the
systems. All permissions are grouped into roles.