FAQ: Where are My App Tiles, Instances, Roles, and More
    : FAQ: Where are My App Tiles, Instances, Roles, and More
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. FAQ: Where are My App Tiles, Instances, Roles, and More
    4. FAQ: Where are My App Tiles, Instances, Roles, and More
    Download PDF

    FAQ: Where are My App Tiles, Instances, Roles, and More

    FAQ: Where are My App Tiles, Instances, Roles, and More

    Table of Contents

    FAQ: Where are My App Tiles, Instances, Roles, and More

    Frequently asked questions regarding changes to the
    hub
    , apps, subscription management, tenant management, tsg migration, identity and access management, and more.
    The following topics address frequently asked questions regarding changes to the
    hub
    , apps, subscription management, tenant management, identity and access management, and more. You might have different questions if you are moving to
    Strata Cloud Manager
    .

    What is the TSG migration?

    You have likely received information about the transition of your
    Prisma Access
     instance,
    Prisma SD-WAN
     instance, or other app instance to a tenant or Tenant Service Group (TSG) in the
    Prisma SASE Platform
     or the
    hub
    . The ultimate goal is to provide you with an integrated experience. A foundational step in that direction is tenant migration.
    The process of migrating
    Prisma Access
     app instances (for example) from a Customer Support Portal model to a tenant model is still in progress. Along with the
    Prisma Access
     instances, all their dependencies such as
    Cortex Data Lake
     and Cloud Identity Engine (CIE) instances also get migrated. The tenant migration happens on a rolling basis, so
    Prisma Access
     &
    Prisma SD-WAN
     instances and dependent apps get migrated at different times. The app tiles remain on the original support account view of the
    hub
     as long as there are non-migrated instances in that Customer Support Portal. After all your instances are migrated, you no longer see the app tile on the
    hub
    . However, there is a button on the
    hub
     to navigate to your tenant on the
    Prisma SASE Multitenant Portal
    . There is also a new tenant view of the
    hub
     for your transitioned tenants.
    For apps in the tenant view, use Common Services for license activation, subscription management, tenant management, and identity and access management. There are a few ways to access Common Services and view apps by tenant:
    First Time Activation
    Prisma SASE Multitenant Portal
    Tenant View of the hub
    AIOps for NGFW
    If you are activating a license for the first time, you are automatically directed to
    Common Services
    Subscription & Tenant Management
     during the activation process.
    If you have received information about the transition of your tenant to the
    Prisma SASE Multitenant Portal
    , you can access through sase.paloaltonetworks.com or through the
    original support account view of the
    hub
    Prisma SASE Multitenant Portal
     button
    Tenants and Services
    Common Services
    Subscription & Tenant Management
    .
    To access
    Common Services
     directly from the
    hub
    , toggle to
    tenant view of the
    hub
    Common Services
    Subscription & Tenant Management
    If you have received information about the transition of your AIOps instance to a tenant, you can access through
    AIOps
    Settings
    Subscription & Tenant Management
    .

    Where are my instances?

    The original support account view of the
    hub
     and the tenant view of the
    hub
     are two completely independent platforms and not just different UI themes. They use different authentication and authorization methods. A given instance can either be accessed from the support account view or the tenant view, but never from both.
    In the following example, Customer Support Portal Alvisofin Corp has multiple
    Cortex Data Lake
    ,
    Prisma Access
    , and CIE instances that are visible on the original support account view of the
    hub
     before migration. The two Prisma Access instances along with their dependent apps,
    Cortex Data Lake
     and CIE, are then migrated to TSGs. After the migration, the migrated Prisma Access,
    Cortex Data Lake
    , and CIE tenants will only show up on the tenant view of the
    hub
    , but the Alvisofin Corp
    Cortex Data Lake
     - AU instance that was not associated with any
    Prisma Access
     instance is still only visible from the original support account view of the
    hub
    .

    Where is my list of support accounts?

    When Palo Alto Networks migrates an instance of an app to a tenant, it automatically creates a new TSG name where the TSG ID is appended to the Customer Support Portal name. If multiple
    Prisma Access
     instances or multiple app instances exist in the same Customer Support Portal support account, then multiple tenants are created. After the migration, in the tenant name list in the tenant view of the
    hub
    , there are now multiple entries with the Customer Support Portal name appended with the instance name and the new TSG ID.
    After the migration, the tenant name list looks as follows, pinned in the tenant view of the
    hub
    . You can dismiss the pin as well as pin it again. You can search for your tenants either by name or by ID.
    You can edit the tenant name from
    Common Services
    Tenant Management
    Tenant name
    Edit Tenant
    .

    What is the replacement for the Explore app?

    The Explore app is designed for use with Customer Support Portal accounts, where you can switch between different
    Cortex Data Lake
     and CIE instances within the same Customer Support Portal. The functionality is not available for TSGs. Since the TSG tenant is the data boundary, it is not allowed to view logs across tenants.
    As an alternative, you can use embedded Log Viewer in the
    Prisma SASE Multitenant Portal
     or the embedded Explore in
    Cortex Data Lake
    .
    You can switch between products or tenants to see logs from different
    Cortex Data Lake
     apps or CIE apps through the tenant, or launch different
    Cortex Data Lake
     tenants from the tenant view of the
    hub
    .

    How do I generate the OTP or associate CIE?

    In the original support account view of the
    hub
    , the Panorama tile showed the Panorama instances for managing
    Prisma Access
    , but not the Panorama instances for managing the Next Generation Firewall (NGFW). Unlike other tiles in the original support account view of the
    hub
    , clicking on any of these Panorama tiles did not open the Panorama UI. There were two operations that you could do with the Panorama tiles:
    • Generate a One Time Password (OTP) for Panorama
    • Associate CIE to the
      Prisma Access
       instance it manages
    In the tenant view of the
    hub
    , there is no benefit in showing the Panorama tile, so it is removed. In the tenant view of the
    hub
    , a
    Prisma Access
     tenant is created for every Panorama-managed Prisma Access instance during the TSG migration. The CIE association with Prisma Access is automatically done either during migration or during onboarding. There is no need to explicitly associate CIE as it was previously done in the original support account view of the
    hub
    .
    The OTP can be generated during license activation for for Panorama-Managed or from
    Common Services
    Tenant Management
    Tenant name
    Generate OTP
    .

    Where are my roles?

    The original support account view of the
    hub
     and the tenant view of the
    hub
     have different authentication and authorization methods. The original support account view of the
    hub
     uses our RBAC based role access model, while the tenant view of the
    hub
     uses Common Services: Identity & Access Management (IAM) for access and role management.
    In the tenant view of the
    hub
    , the dependency on the Customer Support Portal and RBAC roles is removed. All users need a role in the IAM system to access TSGs and TSG-based tenants. When instances are migrated from the original support account view of the
    hub
     to the tenant view of the
    hub
    , all the users and their access permissions are also migrated to the IAM system. New IAM role names and permissions automatically get assigned, which are equivalent to the previous RBAC roles.
    Roles in the original support account view of the
    hub
     and the tenant view of the
    hub
     are not shared, and it is only during the initial instance migration that RBAC roles are migrated to IAM roles.
    For migrated tenants, existing users who had access before the migration will still have access after migration. But if new users need to be added to the tenants, different steps need to be followed to add user access. The admins who can add user access are those with Multitenant Superuser or IAM Administrator roles, depending on the app. Users in the tenant view of the
    hub
     are not required to be added to Customer Support Portal accounts unless needed to operate onboarding or offboarding tasks.
    You can see the users and roles from
    Common Services
    Identity & access
    Access Management
    . Find out more about identity and access.
    App
    RBAC Role
    RBAC Scope
    IAM Roles
    IAM Scope
    N/A
    Account Administrator
    Support Account
    Superuser (Multitenant Superuser)
    TSG
    Any
    App Administrator
    App
    Superuser (Multitenant Superuser)
    App
    Instance Administrator
    App Instance
    Superuser (Multitenant Superuser)
    App
    Cortex Data Lake
    Log Viewer Admin
    App Instance
    SOC Analyst
    App
    CIE
    Deployment Admin
    App Instance
    Deployment Administrator
    App
    IoT
    Owner
    App Instance
    Superuser (Multitenant Superuser)
    App
    Administrator
    App Instance
    Superuser (Multitenant Superuser)
    App
    Read-Only
    App Instance
    View Only Administrator
    App
    Deployment
    App Instance
    Deprecated
    Prisma Access
    Super Reader
    App Instance
    View Only Administrator
    App
    Audit Admin
    App Instance
    Auditor
    App
    Crypto Admin
    App Instance
    Deprecated
    Security Admin
    App Instance
    Security Administrator
    App
    Web Security Admin
    App Instance
    Web Security Administrator
    App
    Data Loss Prevention Admin
    App Instance
    Superuser (assigned to DLP app)
    App
    Data Security Admin
    App Instance
    Data Security Administrator
    App
    SaaS Admin
    App Instance
    Superuser (assigned to SaaS app)
    App
    Prisma SD-WAN
    esp_super + tenant_super + esp_machine_admin+ esp_admin
    App Instance
    Multitenant Superuser
    TSG
    tenant_super
    App Instance
    Superuser
    TSG (if the only app being migrated is
    Prisma SD-WAN
    , otherwise App)
    tenant_view_only
    App Instance
    View Only Administrator
    App
    tenant_iam_admin
    App Instance
    IAM Administrator
    TSG (if the only app being migrated is
    Prisma SD-WAN
    , otherwise App)
    esp_iam_admin + tenant_iam_admin
    App Instance
    Multitenant IAM Administrator
    TSG (if the only app being migrated is
    Prisma SD-WAN
    , otherwise App)
    tenant_network_admin
    App Instance
    Network Administrator
    App
    tenant_security_admin
    App Instance
    Security Administrator
    App

    Which applications are supported in the tenant view of the
    hub
    ?

    Apps and add-ons with full TSG support (migration still in progress on a rolling basis):
    • Prisma Access
       (including Enterprise DLP and SaaS Security in Cloud-managed
      Prisma Access
      , including
      Prisma Access (Panorama Managed)
      )
    • Cortex Data Lake
    • CIE
    • ELA with the AIOps for NGFW add-on or the IoT Security add-on
    • Prisma SD-WAN
    • AIOps
    • IoT Security
    Apps and add-ons that remain in the original support account view of the
    hub
    :
    • Prisma Cloud
    • SAAS Inline NGFW
    • XSOAR Marketplace
    Apps removed from the tenant view of the
    hub
    :
    • Explore

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.