FAQ: Where are My App Tiles, Instances, Roles, and More

The following topics address frequently asked questions regarding changes to the hub, apps, subscription management, tenant management, identity and access management, and more.

What is the TSG migration?

You have likely received information about the transition of your Prisma Access instance to a tenant or Tenant Service Group (TSG) in the Prisma™ SASE Platform. The ultimate goal is to provide you with an integrated SASE experience. A foundational step in that direction is TSG migration.
The process of migrating Prisma Access tenants from a Customer Support Portal (CSP) model to a TSG model is still in progress. Along with the Prisma Access instances, all their dependencies such as Cortex Data Lake (CDL) and Cloud Identity Engine (CIE) instances also get migrated. The TSG migration happens on a rolling basis, so Prisma Access instances and dependent apps get migrated at different times. The Prisma Access app tile remains on the original support account view of the hub as long as there are non-migrated instances in that CSP. After all your Prisma Access instances are migrated, you no longer see a Prisma Access app tile on the hub. However, there is a button on the hub to navigate to your Prisma Access tenant on the SASE Platform at sase.paloaltonetworks.com. There is also a new tenant view of the hub for your transitioned tenants.
If any application instances are not associated with Prisma Access, they will not get migrated and will stay on the original support account view of the hub.
For apps in the tenant view, use Common Services for license activation, subscription management, tenant management, and identity and access management. There are a few ways to access Common Services.
  • You can view apps by tenant through the tenant view of the hub:
    Toggle
    Common Services
    Tenant Management
    .
  • You can access through
    Original support account view of the hub
    Prisma SASE Platform button
    Tenants and Services
    Common Services
    Tenant Management
    .
  • You can access through
    sase.paloaltonetworks.com
    Tenants and Services
    Common Services
    Tenant Management
    .

Where are my instances?

The original support account view of the hub and the tenant view of the hub are two completely independent platforms and not just different UI themes. They use different authentication and authorization methods. A given instance can either be accessed from the support account view or the tenant view, but never from both.
In the following example, CSP Alvisofin Corp has multiple CDL, Prisma Access, and CIE instances that are visible on the original support account view of the hub before migration. The two Prisma Access instances along with their dependent apps, CDL and CIE, are then migrated to TSGs. After the migration, the migrated Prisma Access, CDL, and CIE tenants will only show up on the tenant view of the hub, but the Alvisofin Corp CDL - AU instance that was not associated with any Prisma Access instance is still only visible from the original support account view of the hub.

Where is my list of support accounts?

When Palo Alto Networks migrates an instance of Prisma Access and dependent apps, it automatically creates a TSG with the same name as the CSP support account. If multiple Prisma Access instances or multiple app instances exist in the same CSP support account, then multiple TSGs are created. After the migration, in the TSG tenant name list in the tenant view of the hub, there are now multiple TSG entries with the same CSP name appended with the instance name and the new TSG ID.
After the migration, the TSG tenant name list looks as follows, pinned in the tenant view of the hub. You can dismiss the pin as well as pin it again. You can search for your tenants either by name or by ID.
You can edit the tenant name from
Common Services
Tenant Management
Tenant name
Edit Tenant
.

What is the replacement for the Explore app?

The Explore app is designed for use with CSP accounts, where you can switch between different CDL and CIE instances within the same CSP. The functionality is not available for TSGs. Since the TSG tenant is the data boundary, it is not allowed to view logs across tenants.
As an alternative, you can use embedded Log Viewer in the SASE platform or the embedded Explore in CDL.
You can switch between products or tenants to see logs from different CDL apps or CIE apps through the SASE tenant, or launch different CDL tenants from the tenant view of the hub.

How do I generate the OTP or associate CIE?

In the original support account view of the hub, the Panorama tile showed the Panorama instances for managing Prisma Access, but not the Panorama instances for managing the Next Generation Firewall (NGFW). Unlike other tiles in the original support account view of the hub, clicking on any of these Panorama tiles did not open the Panorama UI. There were two operations that you could do with the Panorama tiles:
  • Generate a One Time Password (OTP) for Panorama
  • Associate CIE to the Prisma Access instance it manages
In the tenant view of the hub, there is no benefit in showing the Panorama tile, so it is removed. In the tenant view of the hub, a Prisma Access tenant is created for every Panorama-managed Prisma Access instance during the TSG migration. The CIE association with Prisma Access is automatically done either during migration or during onboarding. There is no need to explicitly associate CIE as it was previously done in the original support account view of the hub.
The OTP can be generated during license activation for for Panorama-Managed Prisma Access or from
Common Services
Tenant Management
Tenant name
Generate OTP
.

Where are my roles?

The original support account view of the hub and the tenant view of the hub have different authentication and authorization methods. The original support account view of the hub uses our RBAC based role access model, while the tenant view of the hub uses Common Services: Identity & Access Management (IAM) for access and role management.
In the tenant view of the hub, the dependency on the CSP and RBAC roles is removed. All users need a role in the IAM system to access TSGs and TSG-based tenants. When instances are migrated from the original support account view of the hub to the tenant view of the hub, all the users and their roles are also migrated to the IAM system. New IAM roles and permissions automatically get created, which are equivalent to the previous RBAC roles.
App
RBAC Role
RBAC Scope
IAM Roles
IAM Scope
N/A
Account Administrator
Support Account
Superuser (MSP Superuser)
TSG
Any
App Administrator
App
Superuser (MSP Superuser)
App
Instance Administrator
App Instance
Superuser (MSP Superuser)
App
CDL
Log Viewer Admin
App Instance
SOC Analyst
App
CIE
Deployment Admin
App Instance
Deployment Administrator
App
Prisma Access
Super Reader
App Instance
View Only Administrator
App
Audit Admin
App Instance
Auditor
App
Crypto Admin
App Instance
Deprecated
App
Security Admin
App Instance
Security Administrator
App
Web Security Admin
App Instance
Web Security Administrator (PA only)
App
Data Loss Prevention Admin
App Instance
Superuser (assigned to DLP app)
App
Data Security Admin
App Instance
Data Security Administrator
App
SaaS Admin
App Instance
Superuser (assigned to SaaS app)
App
IoT
Owner
App Instance
Superuser (MSP Superuser)
App
Administrator
App Instance
Superuser (MSP Superuser)
App
Read-Only
App Instance
View Only Administrator
App
Deployment
App Instance
Deprecated
App
You can see the users and roles from
Common Services
Identity & access
Access Management
. Find out more about identity and access.
Roles in the original support account view of the hub and the tenant view of the hub are not shared, and it is only during the initial instance migration that RBAC roles are migrated to IAM roles.
For migrated tenants, existing users who had access before the migration will still have access after migration. But if new users need to be added to the tenants, different steps need to be followed to add user access. Users in the tenant view of the hub are not required to be added to CSP accounts unless needed to operate onboarding or offboarding tasks.

Which applications are supported in the tenant view of the hub?

Apps and add-ons with full TSG support (migration still in progress on a rolling basis):
  • Prisma Access (including Enterprise DLP and SaaS Security in Cloud-managed Prisma Access, including Panorama-managed Prisma Access)
  • CDL
  • CIE
  • Prisma SD-WAN
Apps and add-ons that remain in the original support account view of the hub:
  • AIOps (TBD)
  • IoT Security
  • Prisma Cloud
  • XSOAR Marketplace
Apps removed from the tenant view of the hub:
  • Explore

Recommended For You