Manage: Access Control

Strata Cloud Manager

Manage: Access Control

Table of Contents

Manage: Access Control

Configure scope management to enforce role-based access control for
Strata Cloud Manager
Where Can I Use This?
What Do I Need?
  • Strata Cloud Manager
At least one of these licenses:
  • AIOps for NGFW Premium
  • Prisma Access
Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user account that specifies a role and authentication method. Prisma Access Cloud Management implements custom RBAC, to enable you to manage roles or specific permissions, and assign access rights to administrative users. Using RBAC, you can manage users and their access to various resources within Cloud Management.

Administrator Roles

A user on Prisma Access is someone who has been assigned administrative privileges, and a role defines the type of access that the administrator has on the service. When you assign a role, you specify the permission group and the account groups that the administrator can manage. The hub has the following permission groups built-in for administrators using Prisma Access.
  • App Administrator
    — Has full access to the given app, including all instances added to the app in the future. App Administrators can assign roles for app instances, and they can also activate app instances specific to that app.
  • Instance Administrator
    — Has full access to the app instance for which this role is assigned. The Instance Administrator can also make other users an Instance Administrator for the app instance. If the app has predefined or custom roles, the Instance Administrator can assign those roles to other users.
  • Super Reader
    — Can view all config elements, logs, and settings. Super Readers can’t make changes to other settings.
  • Audit Admin
    — Can view and manage logs and log settings only. Audit Admins can’t make changes to other settings.
  • Crypto Admin
    — Can view logs, and manage cryptographic settings such as IKE, IPSec, master key management, and certificate configuration. Crypto Admins can’t view or make changes to other settings.
  • Security Admin
    — Can view logs and manage all settings except the cryptographic settings that are available to the Crypto Admin role.
  • Web Security Admin
    — Can view configuration elements related to Web Security only.
  • Data Loss Prevention Admin
    —Can access Enterprise DLP settings but cannot push configuration changes to Prisma Access.
  • Data Security Admin
    —Can access Enterprise DLP and SaaS Security controls, but cannot push configuration changes to Prisma Access.
  • SaaS Admin
    —Can access SaaS Security settings but cannot push configuration changes to Prisma Access.

Custom Role-Based Access Control — Setup

Here’s how to use a predefined role or create a custom role, assign a role to a user, and manage the user scope when you access the Prisma Access application.
  1. If you require more granular access control than the predefined roles provide, you can add custom roles to define which permissions are enforced for your users. Similar to predefined roles, custom roles are a set of permissions and permission sets. Unlike predefined roles, each custom role is assignable only to the users in the hierarchy under the Tenant Service Group (TSG) where it is defined. This avoids name conflicts between similarly named custom roles defined by different customers.
    If you add a custom role at the top level (parent level) of the hierarchy, that role is assigned to the tenants nested below so that the parent tenant can manage the child tenants.
  2. The Common Services: Access and Identity enables you to add user access to the platform as well as to the tenants you created.
  3. If you already added users and want to add additional roles, you can also assign a batch of predefined roles. Review additional information about roles and permissions.
  4. Prisma Access Cloud Management enables you (as an administrator) to assign a management scope to a cloud management user (non-administrator) to associate permissions based on scopes such as folders and snippets.
    The permissions are actions that are allowed in the system. Permissions represent a specific set of application programming interface (API) calls that you use to read, write, and delete objects within the systems. All permissions are grouped into roles.

Recommended For You