Common Services: Identity and Access
    : Add a Custom Role Through Common Services
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. Common Services: Identity and Access
    4. Manage Identity and Access Through Common Services
    5. Add a Custom Role Through Common Services
    Download PDF

    Common Services: Identity and Access

    Add a Custom Role Through Common Services

    Table of Contents

    Add a Custom Role Through
    Common Services

    Learn how to add a custom role through the
    Common Services
    .
    If you require more granular access control than the predefined roles provide, you can add custom roles to define which permissions are enforced for your users. Similar to predefined roles, custom roles are a set of permissions and permission sets. Unlike predefined roles, each custom role is assignable only to the users in the hierarchy under the Tenant Service Group (TSG) where it is defined. This avoids name conflicts between similarly named custom roles defined by different customers.
    Consider an example using tenants called ParentTenant, ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest in the following screen-shot.
    If you add a custom role at the top level (ParentTenant) of the hierarchy, that role is assigned to the tenants nested below it (ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest) so that the parent tenant can manage the child tenants. If you add a custom role at ChildTenantEast, the role is only inherited by ChildTenantNorthEast so that ChildTenantEast can manage ChildTenantNorthEast. A custom role added at ChildTenantWest is only for use by ChildTenantWest.
    Name your custom roles with specific names rather than generic names so that you can easily tell them apart. For example, if you add a custom role named Investigator to the ParentTenant, the role name of Investigator is also assigned to all the tenants nested below it, so that role name can no longer be used anywhere else in that nested hierarchy. Instead, consider using ParentInvestigator at the parent level, so that you can use ChildWestInvestigator if you need an investigator role that is only for use by ChildTenantWest. The same behavior exists from the bottom level of the hierarchy as well—if you first add a custom role named Investigator to ChildTenantWest, then the name of Investigator is no longer available for use by ParentTenant or any other tenant in that nested hierarchy.
    1. Use one of the various ways to access
      Identity & Access
      .
    2. Select
      Identity & Access
      . Only one way is shown here.
    3. Select
      Identity & Access/Access Management
      Roles
      Add Custom Role
       to add a custom role.
    4. Add a
      Name
       and a
      Description
       for the role.
    5. Add permissions.
      The permissions are split between Web UI and API.
      (
      Optional
      ) If you select
      Web UI
      :
      Web UI permission sets are grouped in a hierarchy for each application. The icon next to the permission set name indicates the permission access status. You will see all the permission sets even if you don't have a license to use all the corresponding applications.
      1. Select an icon to toggle the permission set access.
      2. Select an icon at a higher level in the hierarchy to toggle permissions at the lower levels as well.
      3. Select a checkbox for bulk change actions. The
        Read Write
        ,
        Read Only
        , and
        No Access
         become visible when one or more permission sets are selected, so you can set many permission sets to the same access all at once, rather than selecting each one individually.
      A variety of menus and tabs can be hidden from users in the web UI, but he following example shows hiding all the
      Common Services
       from the UI, such as: Subscription & Add-ons, Tenant Management, Identity & Access, and Device Associations.
      Consider a scenario where a Managed Security Service Provider (MSSP) or a distributed enterprise customer needs to grant an admin user access to a tenant, but that user does not need to manage any of the
      Common Services
      . A custom role can be added with
      No Access
       for each of the
      Common Services
       elements in the Web UI tab:
      After you assign that role to users, they can access the tenant, but the
      Common Services
       menus are hidden:
      (
      Optional
      ) If you select
      API
      :
      Any permissions that you had set using
      Web UI
       are visible. You cannot remove them from here, but you can remove them by changing them in
      Web UI
      .
      1. Select
        Add Permissions
         to open the permissions modal. Permissions are listed in a hierarchy.
      2. Select permissions individually.
      3. Select a checkbox at a higher level in the hierarchy to toggle permissions at the lower levels as well.
      4. Select a checkbox for bulk change actions, so you can set many permissions all at once, rather than selecting each one individually.
      5. Save
         to add permissions to the list.
    6. Save
       your custom role changes.
      The role is saved with the following information:
      Property
      Description
      Custom Role Name
      The role name you assigned.
      Custom Role ID
      The role ID you can use to map a tenant for authorization.
      Inherited From
      If the role is inherited, the name of the parent tenant where the role is inherited.
      Description
      The role name you assigned.
      Actions
      Modify a custom role through edit, clone, or delete.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.