FAQ: Where are My App Tiles, Instances, Roles, and More
Table of Contents
FAQ: Where are My App Tiles, Instances, Roles, and More
Frequently asked questions regarding changes to the hub, apps, subscription management,
tenant management, tsg migration, identity and access management, and more.
The following topics address frequently
asked questions regarding changes to the hub, apps, subscription
management, tenant management, identity and access management, and
more.
What is the TSG migration?
You have likely received information about the transition of your Prisma Access instance, Prisma
SD-WAN instance, or other app instance to a tenant or Tenant Service Group (TSG) in
the Prisma™ SASE Platform or the hub. The
ultimate goal is to provide you with an integrated experience. A foundational step
in that direction is tenant migration.
The process of migrating Prisma Access app instances (for example) from a Customer Support Portal
(CSP) model to a tenant model is still in progress. Along with the Prisma Access
instances, all their dependencies such as Cortex Data Lake (CDL) and Cloud Identity
Engine (CIE) instances also get migrated. The tenant migration happens on a rolling
basis, so Prisma Access & Prisma SD-WAN instances and dependent apps get
migrated at different times. The app tiles remain on the original support account
view of the hub as long as there are non-migrated instances in that CSP. After all
your instances are migrated, you no longer see the app tile on the hub. However,
there is a button on the hub to navigate to your tenant on the SASE Platform at
sase.paloaltonetworks.com. There is also a new tenant view of the hub for your
transitioned tenants.
For apps in the tenant view, use Common Services for license activation, subscription
management, tenant management, and identity and access management. There are a few
ways to access Common Services and view apps by tenant:
First Time Activation | Prisma SASE Platform | Tenant View of the hub | AIOps for
NGFW |
|---|---|---|---|
If you are activating a license for the first time, you are
automatically directed to during the activation process. | If you have received information about the transition of your
tenant to the Prisma SASE Platform, you can access through
sase.paloaltonetworks.com or through the . | To access directly from the hub, toggle to
| If you have received
information about the transition of your AIOps instance to a
tenant, you can access through . |
Where are my instances?
The original support account view of the hub and the
tenant view of the hub are two completely independent platforms
and not just different UI themes. They use different authentication
and authorization methods. A given instance can either be accessed
from the support account view or the tenant view, but never from
both.
In the following example, CSP Alvisofin Corp has multiple CDL,
Prisma Access, and CIE instances that are visible on the original
support account view of the hub before migration. The two Prisma
Access instances along with their dependent apps, CDL and CIE, are
then migrated to TSGs. After the migration, the migrated Prisma
Access, CDL, and CIE tenants will only show up on the tenant view
of the hub, but the Alvisofin Corp CDL - AU instance that was not
associated with any Prisma Access instance is still only visible
from the original support account view of the hub.
Where is my list of support accounts?
When Palo Alto Networks migrates an instance of an app to a tenant, it automatically creates a
TSG with the same name as the CSP support account. If multiple Prisma Access
instances or multiple app instances exist in the same CSP support account, then
multiple tenants are created. After the migration, in the tenant name list in the
tenant view of the hub, there are now multiple entries with the same CSP name
appended with the instance name and the new TSG ID.
After the migration, the tenant name list looks as follows, pinned in the tenant view of the hub.
You can dismiss the pin as well as pin it again. You can search for your tenants
either by name or by ID.
You can edit the tenant name from .
What is the replacement for the Explore app?
The Explore app is designed for use with CSP accounts,
where you can switch between different CDL and CIE instances within
the same CSP. The functionality is not available for TSGs. Since
the TSG tenant is the data boundary, it is not allowed to view logs across
tenants.
As an alternative, you can use embedded Log Viewer in the SASE
platform or the embedded Explore in CDL.
You can switch between products or tenants to
see logs from different CDL apps or CIE apps through the SASE tenant, or
launch different CDL tenants from the tenant view of the hub.
How do I generate the OTP or associate CIE?
In the original support account view of the hub, the
Panorama tile showed the Panorama instances for managing Prisma Access,
but not the Panorama instances for managing the Next Generation
Firewall (NGFW). Unlike other tiles in the original support account
view of the hub, clicking on any of these Panorama tiles did not
open the Panorama UI. There were two operations that you could do
with the Panorama tiles:
- Generate a One Time Password (OTP) for Panorama
- Associate CIE to the Prisma Access instance it manages
In the tenant view of the hub, there is no benefit in showing
the Panorama tile, so it is removed. In the tenant view of the hub,
a Prisma Access tenant is created for every Panorama-managed Prisma
Access instance during the TSG migration. The CIE association with Prisma
Access is automatically done either during migration or during onboarding.
There is no need to explicitly associate CIE as it was previously
done in the original support account view of the hub.
The OTP can be generated during license activation for for Panorama-Managed
Prisma Access or from .
Where are my roles?
The original support account view of the hub and the
tenant view of the hub have different authentication and authorization methods.
The original support account view of the hub uses our RBAC based
role access model, while the tenant view of the hub uses Common Services: Identity &
Access Management (IAM) for access and role management.
In the tenant view of the hub, the dependency on the CSP and
RBAC roles is removed. All users need a role in the IAM system to access
TSGs and TSG-based tenants. When instances are migrated from the
original support account view of the hub to the tenant view of the
hub, all the users and their access permissions are also migrated
to the IAM system. New IAM role names and permissions automatically
get assigned, which are equivalent to the previous RBAC roles.
Roles in the original support account view of the hub and the
tenant view of the hub are not shared, and it is only during the
initial instance migration that RBAC roles are migrated to IAM roles.
For migrated tenants, existing users who had access before the migration will still have access
after migration. But if new users need to be added to the tenants, different steps
need to be followed to add user access. The admins who can add
user access are those with Multitenant Superuser or IAM Administrator roles,
depending on the app. Users in the tenant view of the hub are not required to be
added to CSP accounts unless needed to operate onboarding or offboarding tasks.
You can see the users and roles from . Find out
more about identity and access.
App | RBAC Role | RBAC Scope | IAM Roles | IAM Scope |
|---|---|---|---|---|
N/A | Account Administrator | Support Account | Superuser (Multitenant Superuser) | TSG |
Any | App Administrator | App | Superuser (Multitenant Superuser) | App |
Instance Administrator | App Instance | Superuser (Multitenant Superuser) | App | |
CDL | Log Viewer Admin | App Instance | SOC Analyst | App |
CIE | Deployment Admin | App Instance | Deployment Administrator | App |
IoT | Owner | App Instance | Superuser (Multitenant Superuser) | App |
Administrator | App Instance | Superuser (Multitenant Superuser) | App | |
Read-Only | App Instance | View Only Administrator | App | |
Deployment | App Instance | Deprecated | ||
Prisma Access | Super Reader | App Instance | View Only Administrator | App |
Audit Admin | App Instance | Auditor | App | |
Crypto Admin | App Instance | Deprecated | ||
Security Admin | App Instance | Security Administrator | App | |
Web Security Admin | App Instance | Web Security Administrator | App | |
Data Loss Prevention Admin | App Instance | Superuser (assigned
to DLP app) | App | |
Data Security Admin | App Instance | Data Security Administrator | App | |
SaaS Admin | App Instance | Superuser (assigned
to SaaS app) | App | |
Prisma SD-WAN | esp_super + tenant_super + esp_machine_admin+
esp_admin | App Instance | Multitenant Superuser | TSG |
tenant_super | App Instance | Superuser | TSG (if the only app being migrated is SD-WAN, otherwise App) | |
tenant_view_only | App Instance | View Only Administrator | App | |
tenant_iam_admin | App Instance | IAM Administrator | TSG (if the only app being migrated is SD-WAN, otherwise App) | |
esp_iam_admin + tenant_iam_admin | App Instance | Multitenant IAM Administrator | TSG (if the only app being migrated is SD-WAN, otherwise App) | |
tenant_network_admin | App Instance | Network Administrator | App | |
tenant_security_admin | App Instance | Security Administrator | App |
Which applications are supported in the tenant view of the
hub?
Apps and add-ons with full TSG support (migration still
in progress on a rolling basis):
- Prisma Access (including Enterprise DLP and SaaS Security in Cloud-managed Prisma Access, including Panorama-managed Prisma Access)
- CDL
- CIE
- ELA with the AIOps for NGFW add-on or the IoT Security add-on
- Prisma SD-WAN
- AIOps
- IoT Security
Apps and add-ons that remain in the original support account
view of the hub:
- Prisma Cloud
- SAAS Inline NGFW
- XSOAR Marketplace
Apps removed from the tenant view of the hub:
- Explore