Common Services: Identity and Access
    : About Roles and Permissions Through Common Services
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. Common Services: Identity and Access
    4. Manage Identity and Access Through Common Services
    5. About Roles and Permissions Through Common Services
    Download PDF

    Common Services: Identity and Access

    About Roles and Permissions Through Common Services

    Table of Contents

    About Roles and Permissions Through
    Common Services

    Learn about
    Common Services
     roles and permissions for role-based access control (RBAC).
    Common Services
    : Identity and Access supports role-based access control (RBAC). Using Identity and Access, you can manage tenant users, service accounts, and access to various resources within
    Common Services
    ,
    Prisma™ SASE Multitenant Portal
    , and enterprise apps. Roles are required for users but are optional for service accounts.
    Roles work as a union. If you assign a role to a user for a specific app and another role for All Apps & Services, the user will get the union of both permissions. For example, consider a scenario where a user is assigned a role for the Cortex Data Lake app with a role that does not allow download or share permissions. If that same user is also assigned Superuser role for All Apps & Services, the user is able to download and share. The behavior is to check the specific app first and if the permission is not available, then check All Apps & Services. For more information about what each role can do, you can view the permissions in the platform for each role.
    If you have received information about the transition of your app instance to a tenant or Tenant Service Group (TSG), see where are my roles? for a mapping of previous roles to IAM roles.

    Permissions

    Permissions are actions that are allowed in the system. Permissions represent a specific set of application programming interface (API) calls that you use to read, write, and delete objects within the system. You can view all permissions in the platform grouped into roles.

    Multitenant Platform Roles

    Multitenant platform roles are a predefined set of permissions for managing tenants in a multitenant hierarchy. These roles include a collection of one or more system permissions that are specific to the platform. The following table describes general roles and responsibilities. For more information about what each role can do, you can view the permissions in the platform for each role.
    Multitenant Platform Roles
    Permissions
    Supported Applications
    Multitenant Superuser
    Read and write access to manage all apps, Cortex Data Lake (CDL) logs, and services within the assigned level of nested hierarchy. Includes all permissions assigned to all roles, including Superuser. Includes access to dashboards, create custom dashboards, and download, share, and schedule reports. Includes the ability to activate product licenses through email activation link. Assign this role only to users or service accounts that require unrestricted access.
    • Enterprise DLP
    • Cloud Identity Engine
    • Cortex Data Lake
    • IoT Security
    • Next-Generation CASB
    • Prisma Access
    • Prisma SD-WAN
    • SaaS Security Posture Management
    Multitenant IAM Administrator
    Read and write access to identity and authentication functions for all tenants in a multitenant hierarchy. Restricted to read-only access for logs. No access to dashboards and Cortex Data Lake (CDL) logs.
    • Prisma Access
    • Prisma SD-WAN
    Multitenant Manage User
    This role provides access to functions related to multitenant management and other common resources.
    • All Apps & Services
    Multitenant Monitor User
    This role provides access to functions related to multitenant monitoring and other common resources.
    • All Apps & Services
    Browser
    Browser read-only access to the common services features required by Palo Alto Networks UI.
    If you create a custom role without the necessary permissions for the UI to function, an access policy is automatically created for all apps and services with the Browser role.
     Assign this role to web UI users, but not to service accounts or other non-UI-oriented administrators.
    • All Apps & Services
    • Only available at the tenant or tenant service group (TSG) level. Cannot be assigned to a specific app.
    Business Administrator
    Read and write access to all subscription and license management for the selected app. Includes read-only access to other functions, such as access policies, service accounts, and tenant service group operations. No access to dashboards and Cortex Data Lake (CDL) logs. Includes the ability to activate product licenses through email activation link. Assign this role to administrators who manage devices, licenses, and subscriptions.
    • All Apps & Services
    • Only available at the tenant or tenant service group (TSG) level. Cannot be assigned to a specific app.
    When you add user access or add a service account, you can assign a predefined role to execute specific functions within the platform. You can also assign a batch of predefined roles to assign a role in bulk to multiple users or service accounts at the same time.

    Enterprise Roles

    Enterprise roles are a predefined set of permissions for managing enterprise applications and services. These roles include a collection of one or more system permissions for any app to use. The following table describes general enterprise roles and responsibilities. For more information about what each role can do, you can view the permissions in the platform for each role.
    Enterprise Roles
    Permissions
    Supported Applications
    ADEM Tier 1 Support
    For use with the Prisma Access app. Read-only access to specific incident remediation workflows for only Prisma Access Autonomous Digital Experience Management (ADEM). No access to other Prisma Access services. No access to dashboards and Cortex Data Lake (CDL) logs. Assign this role to third party helpdesk employees, tier 2 and 3 support, or administrators who only need ADEM access.
    • Prisma Access
    Auditor
    Read-only access to functions related to all configurations, including subscriptions and licenses for the selected app. Includes access to view dashboards but cannot download, share, and schedule reports. Includes access to Cortex Data Lake (CDL) logs. Assign this role to administrators who are tasked with examining the system for accuracy.
    • Prisma Access
    Data Security Administrator
    Read and write access to all data security functions for the selected app. Includes access to Cortex Data Lake (CDL) logs, dashboards, create custom dashboards, and download, share, and schedule reports. Includes read-only access to logs. This role includes a very small subset of privileges included in the Security Admin role. Assign this role to administrators who manage only decryption rule configurations.
    • Next-Generation CASB
    • Prisma Access
    Deployment Administrator
    Access to functions related to deployments. In addition, this role provides read-only access to other functions.
    • Cloud Identity Engine
    DLP Incident Administrator
    This role provides access to functions related to DLP incidents and reports. This role also provides read-only access to other functions, including but not limited to: data profile, data filtering profile, data pattern, EDM, and OCR settings.
    • Enterprise DLP
    DLP Policy Administrator
    This role provides access to functions related to DLP policy, including but not limited to: data profile, data filtering profile, data pattern, EDM, and OCR settings.
    • Enterprise DLP
    IAM Administrator
    Read and write access to identity and authentication functions for the selected app. Includes read-only access to logs. No access to dashboards and Cortex Data Lake (CDL) logs. Assign this role to administrators who manage users.
    • Prisma Access
    • Prisma SD-WAN
    Network Administrator
    Read and write access to logs and network policy configurations for the selected app. Includes read-only access to other functions: alerts, license quotas, devices, and tenant service group operations. Includes access to dashboards, create custom dashboards, and download, share, and schedule reports. Assign this role to administrators who need to maintain authentication, certificates, and decryption rules.
    • Prisma Access
    • Prisma SD-WAN
    Posture Security Administrator
    This role provides full SSPM functionality, but only for the SaaS applications that the administrators onboard themselves. It is intended to give IT/SaaS administrators visibility and full SSPM read and write access to the SaaS apps they are responsible for.
    • Next-Generation CASB
    Security Administrator
    Read and write access to logs and security policy configurations for the selected app. Includes read-only access to other functions, such as alerts, license quotas, devices, and tenant service group operations. Includes access to dashboards, create custom dashboards, and download, share, and schedule reports. Assign this role to administrators who need to maintain authentication, certificates, and decryption rules.
    • Next-Generation CASB
    • Prisma Access
    • Prisma SD-WAN
    SOC Analyst
    Access to functions related to logs, reports, events, alerts, and all configurations for the selected app. Assign this role to administrators who need to view and investigate threats and trends.
    • Cortex Data Lake
    • Prisma Access
    Superuser
    Read and write access to all available system-wide functions for the selected app. Includes all permissions assigned to all other roles, including MSP Superuser. Includes the ability to activate product licenses through email activation link. Assign this role only to users or service accounts that require unrestricted access.
    • AIOps for NGFW
    • AIOps for NGFW Free
    • Cloud Identity Engine
    • Cortex Data Lake
    • Enterprise DLP
    • IoT Security
    • Next-Generation CASB
    • Prisma Access
    • Prisma SD-WAN
    • SaaS Security Posture Management
    Tier 1 Support
    Read and write access to remediation workflows that update network, security, and device configurations for the selected app. Includes read-only access for alerts, access policies, configurations, license quotas, devices, and tenant service group operations. Full access to view dashboards, create custom dashboards, download, share, and schedule reports, and Cortex Data Lake (CDL) logs.
    • Prisma Access
    Tier 2 Support
    Read and write access to remediation workflows that update network, security, and device configurations for the selected app. Includes read-only access for alerts, access policies, configurations, license quotas, devices, and tenant service group operations. Full access to view dashboards, create custom dashboards, download, share, and schedule reports, and Cortex Data Lake (CDL) logs.
    • Prisma Access
    View Only Administrator
    Read-only access to all available system-wide functions for the selected app and logs (except DNS logs). Includes access to view dashboards except DNS dashboard. No access to download, share, and schedule dashboards.
    • Enterprise DLP
    • IoT Security
    • Next-Generation CASB
    • Prisma Access
    • Prisma SD-WAN
    • SaaS Security Posture Management
    Web Security Admin
    This role provides access to functions related to web security for Prisma Access.
    • Prisma Access
    When you add user access or add a service account, you can assign a predefined role to execute specific functions within a network. You can also assign a batch of predefined roles to assign a role in bulk to multiple users or service accounts at the same time.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.