Common Services: Identity and Access
    : Add a Custom Role Through Common Services
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. Common Services: Identity and Access
    4. Manage Identity and Access Through Common Services
    5. Add a Custom Role Through Common Services
    Download PDF

    Common Services: Identity and Access

    Add a Custom Role Through Common Services

    Table of Contents

    Add a Custom Role Through Common Services

    Learn how to add a custom role through the Common Services.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Strata Multitenant Cloud Manager
    • The hub
    • Superuser or Multitenant Superuser role
    If you require more granular access control than the predefined roles provide, you can add custom roles to define which permissions are enforced for your users. Similar to predefined roles, custom roles are a set of permissions and permission sets. Unlike predefined roles, each custom role is assignable only to the users in the hierarchy under the Tenant Service Group (TSG) where it's defined. This avoids name conflicts between similarly named custom roles defined by different customers.
    Consider an example using tenants called ParentTenant, ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest in the following screenshot.
    If you add a custom role at the top level (ParentTenant) of the hierarchy, that role is assigned to the tenants nested below it (ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest) so that the parent tenant can manage the child tenants. If you add a custom role at ChildTenantEast, the role is only inherited by ChildTenantNorthEast so that ChildTenantEast can manage ChildTenantNorthEast. A custom role added at ChildTenantWest is only for use by ChildTenantWest.
    Name your custom roles with specific names rather than generic names so that you can easily tell them apart. For example, if you add a custom role named Investigator to the ParentTenant, the role name of Investigator is also assigned to all the tenants nested below it, so that role name can no longer be used anywhere else in that nested hierarchy. Instead, consider using ParentInvestigator at the parent level, so that you can use ChildWestInvestigator if you need an investigator role that is only for use by ChildTenantWest. The same behavior exists from the bottom level of the hierarchy as well—if you first add a custom role named Investigator to ChildTenantWest, then the name of Investigator is no longer available for use by ParentTenant or any other tenant in that nested hierarchy.
    1. Use one of the various ways to access Identity & Access.
    2. Select Identity & AccessRolesCustom RolesAdd Custom Role to add a custom role.
    3. Add a Name and a Description for the role.
    4. Add permissions. The permissions are split between web interface and API.
      (Optional) If you select Web Interface:
      Web interface permission sets are grouped in a hierarchy for each application. The icon next to the permission set name indicates the permission access status. You will see all the permission sets even if you don't have a license to use all the corresponding applications.
      1. Select an icon to toggle the permission set access.
      2. Select an icon at a higher level in the hierarchy to toggle permissions at the lower levels as well.
      3. Select a check box for bulk change actions. The Read Write, Read-Only, and No Access become visible when one or more permission sets are selected, so you can set many permission sets to the same access all at once, rather than selecting each one individually.
      A variety of menus and tabs can be hidden from users in the web interface, but he following example shows hiding all the Common Services from the UI, such as: Subscription & Add-ons, Tenant Management, Identity & Access, and Device Associations.
      Consider a scenario where a managed security service provider (MSSP) or a distributed enterprise customer needs to grant an admin user access to a tenant, but that user does not need to manage any of the Common Services. A custom role can be added with No Access for each of the Common Services elements in the web interface tab:
      After you assign that role to users, they can access the tenant, but the Common Services menus are hidden:
      (Optional) If you select API:
      Any permissions that you had set using Web Interface are visible. You can't remove them from here, but you can remove them by changing them in Web Interface.
      1. Select Add Permissions to open the permissions modal. Permissions are listed in a hierarchy.
      2. Select permissions individually.
      3. Select a check box at a higher level in the hierarchy to toggle permissions at the lower levels as well.
      4. Select a check box for bulk change actions, so you can set many permissions all at once, rather than selecting each one individually.
      5. Save to add permissions to the list.
    5. Save your custom role changes.
      The role is saved with the following information:
      PropertyDescription
      Custom Role Name
      The role name you assigned.
      Custom Role ID
      The role ID you can use to map a tenant for authorization.
      Inherited From
      If the role is inherited, the name of the parent tenant where the role is inherited.
      Description
      The role name you assigned.
      Actions
      Modify a custom role through edit, clone, or delete.

    © 2024 Palo Alto Networks, Inc. All rights reserved.