Common Services: Identity and Access
    : PAN Resource Names
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. Common Services: Identity and Access
    4. Manage Third-Party Identity Provider Integrations Through Common Services
    5. PAN Resource Names
    Download PDF

    Common Services: Identity and Access

    PAN Resource Names

    Table of Contents

    PAN Resource Names

    Learn how to use access policy resource names for tenant mapping through the Common Services.
    When assigning an access policy to a user or a service account (such as in mapping a tenant for SAML authorization purposes), the PAN Resource Name identifies the tenant or tenant service group (TSG) hierarchy where you are applying access policies.

    Properties for Predefined Roles

    The properties available for assigning an access policy with a predefined role follow:
    PropertyDescriptionRequired
    predefined_role_name
    The role name as listed in all roles, not as displayed in the web interface label.
    Required
    prn
    Property resource name. Must be "prn".
    Required
    tsg_id
    The tenant service group ID as displayed in the web interface.
    Required
    app_id
    • AIOps for NGFW: strata_insights
    • AIOps for NGFW Free: strata_insights_free
    • Cloud Identity Engine: directory_sync
    • Strata Logging Service: logging_service
    • Enterprise DLP: dlp
    • IoT Security: zingbox
    • Next-Generation CASB: ng_casb
    • Prisma Access + NGFW: prisma_access
    • Prisma SD-WAN: cgx
    • Prisma Access Browser: seb
    Optional
    region
    		Reserved
    Reserved
    instance
    		Reserved
    Reserved
    resource_scope
    The name of a Strata Cloud Manager scope object. A scope object defines the specific folders, firewalls, Prisma Access deployments, and snippet configurations that Strata Cloud Manager admin roles can access and modify.
    Optional
    Use the properties in the following format: <predefined_role_name>@prn:<TSG_ID>:<app_id>:<region>:<instance>:<resource_scope>
    If app_id is left blank, then the role will apply to All Apps and Services.
    Example: superuser@prn:1234567890::::

    Properties for Custom Roles

    The properties available for assigning an access policy with a custom role follow:
    PropertyDescriptionRequired
    role_id
    The role ID as displayed in the Custom Role ID column in the format of name:number.
    Required
    prn
    Property resource name. Must be "prn".
    Required
    tsg_id
    The tenant service group ID as displayed in the web interface.
    Required
    app_id
    • AIOps for NGFW: strata_insights
    • AIOps for NGFW Free: strata_insights_free
    • Cloud Identity Engine: directory_sync
    • Strata Logging Service: logging_service
    • Enterprise DLP: dlp
    • IoT Security: zingbox
    • Next-Generation CASB: ng_casb
    • Prisma Access + NGFW: prisma_access
    • Prisma SD-WAN: cgx
    • Prisma Access Browser: seb
    Optional
    region
    		Reserved
    Reserved
    instance
    		Reserved
    Reserved
    resource_scope
    The name of a Strata Cloud Manager scope object. A scope object defines the specific folders, firewalls, Prisma Access deployments, and snippet configurations that Strata Cloud Manager admin roles can access and modify.
    Optional
    Use the properties in the following format: <role_id>@prn:<TSG_ID>:<app_id>:<region>:<instance>:<resource_scope>
    If app_id is left blank, then the role will apply to All Apps and Services.
    Example: role:1987654321@prn:1234567890::::

    © 2025 Palo Alto Networks, Inc. All rights reserved.