Enterprise DLP
Enable Role Based Access
Table of Contents
Enable Role Based Access
Configure role-based access for
Enterprise Data Loss Prevention (E-DLP)
to controll administrative
access.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Configure and assign administrative privileges to control access to
Enterprise Data Loss Prevention (E-DLP)
. Role based access gives you granular control of who has
access to Enterprise DLP
and which aspects of Enterprise DLP
they have
access to. () Identity and access management for app, or assign a role for both. When a user is
assigned a role for both app, the access privileges
granted by the app-specific role take priority over the access privileges granted by
the
Strata Cloud Manager
Enterprise DLP
is controlled through Common Services. You can assign a
predefined or custom role for All Apps & Services
active
on your Strata Cloud Manager
tenant, a role for the Enterprise DLP
All Apps & Services
and the
Enterprise DLP
All Apps & Services
role. For example, you have both
Prisma Access (Managed by Strata Cloud Manager)
and Enterprise DLP
active on your
tenant. For Prisma Access
, you assign a user the View Only
Administrator
role. Later, you assign the same user the
DLP Policy Manager
for Enterprise DLP
. In this
instance, the user has read-only access to Prisma Access (Managed by Strata Cloud Manager)
but both read and
write access to the majority of Enterprise DLP
for configuration purposes. () Role based access to
Panorama
Enterprise DLP
is defined
using a custom Panorama
admin role associated with a Panorama
administrator account. The admin role defines the system access
available to the particular admin. If your Panorama
administrator already
has an admin role associated with their admin account, you can update it to define
granular access privileges Enterprise DLP
. If you want to grant access to only
Enterprise DLP
, you can Disable
all other UI nodes
except for those describes below. Strata Cloud Manager
Strata Cloud Manager
Configure role-based access for
Enterprise Data Loss Prevention (E-DLP)
on Strata Cloud Manager
.Strata Cloud Manager
supports the following roles to grant access privileges for the
Enterprise DLP
app specifically.Predefined Enterprise DLP Role | Privileges |
---|---|
DLP Incident Manager | Read and Write Access — Alerts, Incidents, health and
telemetry, reports, and Audit LogsRead Only Access —Data patterns, profiles, DLP Rules, EDM
data sets, OCR setting, and all DLP settings |
DLP Policy Manager | Read and Write Access — Data patterns, profiles, DLP
Rules, EDM data sets, OCR setting, health and telemetry, audit
logs, alerts, and all DLP settingsNo Access — Incidents and reports |
Multitenant Superuser | Full read and write privileges to Enterprise DLP for all
tenants in the particular multitenant hierarchy where the role
is assigned |
Superuser | Full read and write privileges for Enterprise DLP |
View Only Administrator | Read-only privileges for Enterprise DLP |
- Use one of the various ways to accessIdentity & Access.
- Add Access to your tenant whereEnterprise DLPis active.This step is required only if the user for which you’re grantingEnterprise DLPaccess isn’t already registered with the Palo Alto Networks Customer Support Portal (CSP).
- (Optional) Add a custom role through Common Services.You can use custom roles allow to define which permissions are enforced for your users and allow more granular access control toEnterprise DLPthan predefined roles.The access permissions applied to theData Loss Preventionparent node determines the lowest access privilege you can assign to any of its child node. For example, if you want provideNo AccessandRead Onlyto some areas ofEnterprise DLP, you must first assignNo Accessto theEnterprise DLPapplication.Below is an example of a customEnterprise DLProle. The custom role is configured with no access privileges to Audit Logs or any of theEnterprise DLPsettings. However, read-only access is configured for the Health & Telemetry and DLP Incidents, and full read and write privileges are configured for Data Profiles, all Detection Methods, Document Types, and DLP Rules.
- Assign role-based access forEnterprise DLP.You don’t need to configuring a tenant role for a user if access to onlyEnterprise DLPis required.
- SelectUserand for theIdentity Address, enter the email address for which you granted access in the previous step.
- ForApps & Services, select.Enterprise DLP
- Select a predefined or customEnterprise DLPRole.
- Submit.
- Continue based on yourEnterprise DLPaccess privileges.
Panorama
Panorama
Configure role-based access for
Enterprise Data Loss Prevention (E-DLP)
on your Panorama™ management server
.Panorama
allows you to define 1 of 3 different access privileges for any
given UI node:- Enable—Admin has full read and write access.
- Read Only—Admin has read only access. Admin cannot make any configuration changes.
- Disable—Admin has no access to the UI node and it is not displayed in thePanoramaweb interface when they are logged intoPanorama.
- Log in to thePanoramaweb interface.An administrator with access privileges to create an admin role and commit toPanoramais required.
- SelectandPanoramaAdmin RolesAdda new admin role.If you want to modify an existing admin role, select that admin role instead of creating a new one. Only one admin role profile can be associated with an administrator account.
- Configure theEnterprise DLPadmin role.
- Enter a descriptiveNamefor the admin role.
- For theRole, selectPanorama.
- In theWeb UI, define theEnterprise DLPaccess privileges you want to grant the Panorama administrator.
- —Access privileges to data filtering logs. You mustMonitorLogsData FilteringEnableor giveRead Onlyaccess to data filtering logs to allow the administrator to viewEnterprise DLPlog details.
- —Access privileges toObjectsCustom ObjectsData PatternsEnterprise DLPdata patterns.
- —Access privileges toObjectsSecurity ProfilesData FilteringEnterprise DLPdata profiles.
- —To grant read and write access to theDeviceSetupEnterprise DLPdata filtering and Cloud Content settings, you must enable read and write access to theContent-IDtab and disable access for the remaining settings.
- —Access privileges to upgrade thePanoramaPluginsEnterprise DLPplugin onPanoramaand read and write access to theEnterprise DLPsnippets settings.If you have otherPanoramaplugins installed, this will enable access to those configuration nodes in thetab as well.Panorama
- Configure any additional admin role access privileges as needed.For example, you can enablePush All Changes,, andCommitPanoramaTasksto allow the administrator to commit and pushEnterprise DLPchanges fromPanoramato managed firewalls and then view the job status in the Task Manager.
- ClickOK.
- Create anEnterprise DLPadministrator account.Skip this step if you modified an existing admin role already associated with an administrator account.
- SelectandPanoramaAdministratorAdda new administrator.
- Enter a descriptiveNamefor theEnterprise DLPadministrator account.
- Configure the authentication method for the administrator account using one of the following methods.
- Enter thePasswordandConfirm Password.
- Check (enable)Use Public Key Authenticationand clickImport Keyto import the SSH key.
- For theAdministrator Type, selectCustom Panorama Admin.
- For theProfile, select the admin role you created in the previous step.
- ClickOK.
- SelectandCommitCommit to PanoramaCommit.
- Verify theEnterprise DLPadministrator account is correctly configured.In this example, access to the data filtering logs, data patterns, data profiles, and the plugin tabs are enabled.
- Log in to thePanoramaweb interface using theEnterprise DLPadministrator account you created in the previous step.
- SelectMonitorand confirm only theData Filteringlogs are displayed.
- Selectand confirm thatObjectsDLPData Filtering ProfilesandData Filtering Patternsare displayed and configurable.Custom ObjectsandSecurity Profilesare also displayed but theEnterprise DLPis not able to configure these.
- Selectand confirm only theDeviceSetupContent-IDandDLPtabs are displayed and configurable.
- Selectand confirm that thePanoramaDLPEnterprise DLPConfigurationsettings are displayed and configurable.