Learn about the various user roles and how to invite users to a Cloud NGFW for AWS
tenant.
Where Can I Use This?
What Do I Need?
Cloud NGFW for AWS
Cloud NGFW subscription
Palo Alto Networks Customer Support Account (CSP)
AWS Marketplace account
User role (either tenant or administrator)
As a tenant admin, you can invite additional users to help manage your Cloud NGFW
deployment. You can then place these new users into the roles necessary for their
level of access. When you invite a user to the Cloud NGFW tenant, you specify the
user’s email address and assigning one or more Cloud NGFW roles. The Cloud NGFW
tenant sends the user an email that includes a registration link and temporary
password. After logging in for the first time, the new user creates a new password.
Until the invited user has accepted the invitation and logged in to the tenant, the
invitation is considering pending.
Cloud NGFW Role
Permissions
Admin
Add AWS Accounts.
Invite users and assign roles.
Create NGFW.
Create and manage global and local rulestacks.
Tenant admin
Add AWS Accounts.
Invite users and assign roles.
Tenant Reader
Read all firewall resources and its settings.
Read all global and local rulestacks.
Read all tenant users and tenant settings.
Global Rulestack admin
Create a global rulestack.
Local firewall admin
Create NGFW.
Associate local rulestack with NGFWs.
Local firewall administrators can only create NGFWs and
associate rulestacks within a specified AWS account.
Local Rulestack admin
Create local rulestacks.
Associate local rulestacks with NGFWs.
Each Local Rulestack admin has an account ID associated with it.
This allows local rulestacks created by that admin with NGFWs in
the same account.
The email address domain of users invited by the tenant admin must match the
email address domain of the tenant admin’s login credentials.
Log in to the Cloud NGFW tenant.
Select SettingsUsers and RolesInvite User.
Enter the FirstName, LastName,
and Email address of the invitee.
Select the new user’s role or roles from the Roles
drop-down. You can now invite an existing user to a Cloud NGFW tenant.
Click Create.
After logging in, you will be prompted to Select a Tenant and click
Continue. If you're a new user, you will receive an
activation email through which you can register to SSO and log in to the
tenant. Existing users can log in to the tenant directly using your
SSO.
Considerations for Multi-Account Use Cases
If an AWS client account is already added to a tenant from the CNGFW console,
then during the subscription process the user has a choice to log in with an
exiting tenant or create a new one. The table below illustrates these use
cases:
Use case
Steps
If you're already registered to SSO.
You won't receive an activation email
If you're an existing user who isn't registered to SSO.
You will receive an activation email to complete registration to SSO.
However, you can still choose to sign in like earlier, until you
complete the registration.
Use a single email id to register to different tenants using the Login with an
Existing Tenant option.
After logging in, you will be prompted to Select a Tenant and click
Continue. If you're a new user, you will receive an activation email
through which you can register to SSO and log in to the tenant. Existing users
can log in to the tenant directly using your SSO.
After logging in, you will be prompted to Select a Tenant and click Continue. If you're a new user, you will receive an activation email through which you can register to SSO and log in to the tenant. Existing users can log in to the tenant directly using your SSO.
