>
    Invite Users to Cloud NGFW for AWS
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Manage
    4. Invite Users to Cloud NGFW for AWS
    Download PDF
    Cloud NGFW for AWS

    Invite Users to Cloud NGFW for AWS

    Table of Contents

    Invite Users to Cloud NGFW for AWS

    Learn about the various user roles and how to invite users to a Cloud NGFW for AWS tenant.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    As a tenant admin, you can invite additional users to help manage your Cloud NGFW deployment. You can then place these new users into the roles necessary for their level of access. When you invite a user to the Cloud NGFW tenant, you specify the user’s email address and assigning one or more Cloud NGFW roles. The Cloud NGFW tenant sends the user an email that includes a registration link and temporary password. After logging in for the first time, the new user creates a new password. Until the invited user has accepted the invitation and logged in to the tenant, the invitation is considering pending.
    Cloud NGFW Role
    Permissions
    Admin
    • Add AWS Accounts.
    • Invite users and assign roles.
    • Create NGFW.
    • Create and manage global and local rulestacks.
    Tenant admin
    • Add AWS Accounts.
    • Invite users and assign roles.
    Tenant Reader
    • Read all firewall resources and its settings.
    • Read all global and local rulestacks.
    • Read all tenant users and tenant settings.
    Global Rulestack admin
    Create a global rulestack.
    Local firewall admin
    • Create NGFW.
    • Associate local rulestack with NGFWs.
    Local firewall administrators can only create NGFWs and associate rulestacks within a specified AWS account.
    Local Rulestack admin
    • Create local rulestacks.
    • Associate local rulestacks with NGFWs.
    Each Local Rulestack admin has an account ID associated with it. This allows local rulestacks created by that admin with NGFWs in the same account.
    The email address domain of users invited by the tenant admin must match the email address domain of the tenant admin’s login credentials.
    1. Log in to the Cloud NGFW tenant.
    2. Select SettingsUsers and RolesInvite User.
    3. Enter the FirstName, LastName, and Email address of the invitee.
    4. Select the new user’s role or roles from the Roles drop-down. You can now invite an existing user to a Cloud NGFW tenant.
    5. Click Create.
      After logging in, you will be prompted to Select a Tenant and click Continue. If you're a new user, you will receive an activation email through which you can register to SSO and log in to the tenant. Existing users can log in to the tenant directly using your SSO.

    Considerations for Multi-Account Use Cases

    If an AWS client account is already added to a tenant from the CNGFW console, then during the subscription process the user has a choice to log in with an exiting tenant or create a new one. The table below illustrates these use cases:
    Use case
    Steps
    If you're already registered to SSO.
    You won't receive an activation email
    If you're an existing user who isn't registered to SSO.
    You will receive an activation email to complete registration to SSO. However, you can still choose to sign in like earlier, until you complete the registration.
    Use a single email id to register to different tenants using the Login with an Existing Tenant option.
    After logging in, you will be prompted to Select a Tenant and click Continue. If you're a new user, you will receive an activation email through which you can register to SSO and log in to the tenant. Existing users can log in to the tenant directly using your SSO.

    © 2024 Palo Alto Networks, Inc. All rights reserved.