Azure Built-in and Custom Roles
Focus
Focus
Cloud NGFW for Azure

Azure Built-in and Custom Roles

Table of Contents

Azure Built-in and Custom Roles

Learn about Azure built-in and custom roles.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for Azure
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Portal account
  • Azure Marketplace subscription
Azure provides built-in roles to help manage access to resources, including Cloud NGFW by Palo Alto Networks. These roles define permissions for users, groups, and applications in Azure Role-Based Access Control (RBAC). Below are some of the key built-in roles relevant to Cloud NGFW on Azure:
  • Owner. An owner has full access to manage all resources, including Cloud NGFW. Assign this role to administrators who need complete control over the creation of a NGFW, configuration and policies.
  • Contributor. A contributor can create, manage and modify Cloud NGFW and other resources but cannot assign roles. Assign this role to administrators who need complete control over the creation of a NGFW, configuration and policies.
  • LocalNGFirewallAdministrator. This role can create, manage and modify Cloud NGFW policies. Assign this role to administrators who need complete control over NGFW policy configuration; this role cannot create or update firewall resources.
  • LocalRuleStacksAdministrator. This role can create, manage Cloud NGFW policies. Assign this role to administrators who need complete control the NGFW policy configuration; this role cannot create or update firewall resources.
Choosing the proper Azure built-in role for Cloud NGFW depends on your organization's governance model, administrative structure, and access control requirements. If your needs exceed the capabilities of built-in roles, custom roles can provide a more granular permission model. You can create a custom role with specific permissions, such as:
  • Creating and managing firewalls.
  • Managing Cloud NGFW rules and policies.
  • Monitoring logs and analytics.
  • Controlling network traffic.

Assign Roles

You assign roles using Azure Role-Based Access Control (Azure RBAC). You can use the Azure Portal, Azure CLI, or PowerShell to assign roles:
  1. Log in to the Azure Portal.
  2. Navigate to Access Control (IAM) > Role Assignments.
  3. Choose the role, assign users/groups and specify the resource scope (for example, the subscription, resource group, or a specific firewall instance).