Learn about the various user roles and how to invite users to a Cloud NGFW for AWS
tenant.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- Cloud NGFW subscription
- Palo Alto Networks Customer Support Account (CSP)
- AWS Marketplace account
- User role (either tenant or administrator)
|
Users and Roles Management in Cloud NGFW console
When you get started from an AWS member account or an AWS Firewall Manager account
the initial subscribing user becomes the tenant administrator. As a tenant
administrator, you can invite additional users to help manage your Cloud NGFW
deployment. You can then place these new users into the roles necessary for their
level of access. When you invite a user to the Cloud NGFW tenant, you specify the
user’s email address and assigning one or more Cloud NGFW roles. The Cloud NGFW
tenant sends the user an email that includes a registration link and temporary
password. After logging in for the first time, the new user creates a new password.
Until the invited user has accepted the invitation and logged in to the tenant, the
invitation is considering pending.
Cloud NGFW provides several predefined roles, each with specific permissions,
allowing organizations to enforce least-privilege access and align with operational
requirements. Users can be assigned to one or multiple roles, and their access can
be adjusted or removed as your organization's needs evolve. The table below
describes the various roles and their associated permissions.
|
Cloud NGFW Role
|
Permissions
|
|
|
|
Tenant Reader
|
- Read all firewall resources and its settings.
- Read all global and local rulestacks.
- Read all tenant users and tenant settings.
|
|
Global Rulestack admin
|
Create a global rulestack.
|
|
Global Firewall admin
|
The global firewall admin role is automatically assigned
to the first user of a new tenant, along with the Tenant
Admin role. This assignment occurs when you create the
subscription to AWS Marketplace and establish a new
tenant. The global firewall admin role includes permissions to
create, read, update, or delete a firewall without
linking it to an AWS account. It additionally grants
permissions for rulestack management. Consider the following: - The Local Firewall Admin role is still assigned
after linking your tenant to an AWS account. The
Cloud NGFW console automatically prevents you from
selecting these roles if the account is not
linked.
- The Local Firewall Admin role is only applicable
when an account is added and onboarded to the
tenant. When you invite a user to an account that
is already onboarded, you must manually assign the
Local Firewall Admin role to the new user; this
role is never automatically assigned to new
users.
- If the account is onboarded using the simplified
onboarding process and the logged in user has
Local Firewall Admin permissions, when a new
firewall is created
DeleteProtection is applied
to the Global Firewall admin and Local Firewall
admin roles.
|
|
Local firewall admin
|
Local firewall administrators can only create NGFWs and
associate rulestacks within a specified AWS account.
|
|
Local Rulestack admin
|
Each Local Rulestack admin has an account ID associated with it.
This allows local rulestacks created by that admin with NGFWs in
the same account.
|
