When you add an identity in Common Services: Identity and Access, such as user access or a service account, you are adding the ability to access the platform at a certain level of the tenant hierarchy.

The access that you grant when you add user access, for example, is a combination of the location where you add the user’s access within the hierarchy and the role you assign to the user in that location.

Consider an example using tenants called ParentTenant, ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest in the following screen-shot.

If you add user access at the top level (ParentTenant) of the hierarchy, that access is inherited by the tenants nested below it (ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest).

That means you can add user access to the ParentTenant, assign the app of All Apps & Services and the role of Multitenant Superuser, and then the user gets full access to manage all apps and services within all the levels of that particular nested hierarchy (which includes ParentTenant, ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest). Alternatively, you could add user access to the ParentTenant, and assign the app of Prisma Access and the role of View Only Administrator, and the user gets read only access to just the Prisma Access product in tenants within that particular nested hierarchy.

Consider an example using the tenant called ChildTenantEast in the preceding screen-shot. You can add user access to ChildTenantEast, assign the app of All Apps & Services and the role of Multitenant Superuser, and then the user gets full access to manage all apps and services within that particular nested hierarchy (which includes ChildTenantEast, ChildTenantNorthEast). ParentTenant access is inherited by the tenants nested below it, so the app and role assigned to the user at ParentTenant level also applies to that user at ChildTenantEast and ChildTenantNorthEast levels. Inheritance does not apply from the bottom up, so a user added at ChildTenantEast does not have access to Parent Tenant. Also a user added to ChildTenantNorthEast does not have access to ChildTenantEast or ParentTenant.

You can add the same user access to multiple tenants, assigning different roles to that user for various apps and services.

When you delete user access from a tenant, this action does not delete the user from the platform as a whole, it only deletes the user’s access from the individual tenant. Consider an example using the tenant called ChildTenantEast. If you delete a user’s access from ChildTenantEast, the user still has access to ChildTenantNorthEast because the access was previously inherited.