>
    Enable Role Based Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Set Up Enterprise DLP
    5. Enable Role Based Access
    Download PDF
    Enterprise DLP

    Enable Role Based Access

    Table of Contents

    Enable Role Based Access

    Configure role-based access for
    Enterprise Data Loss Prevention (E-DLP)
    to controll administrative access.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Managed by Panorama)
    • Prisma Access (Managed by Strata Cloud Manager)
    • SaaS Security
    • NGFW (Managed by Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • NGFW (Managed by Panorama)
      —Support and
      Panorama
       device management licenses
    • Prisma Access (Managed by Strata Cloud Manager)
      Prisma Access
       license
    • SaaS Security
      SaaS Security
       license
    • NGFW (Managed by Strata Cloud Manager)
      —Support and
      AIOps for NGFW Premium
       licenses
    Or any of the following licenses that include the
    Enterprise DLP
     license
    • Prisma Access
       CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
       license
    • Data Security
       license
    Configure and assign administrative privileges to control access to
    Enterprise Data Loss Prevention (E-DLP)
    . Role based access gives you granular control of who has access to
    Enterprise DLP
     and which aspects of
    Enterprise DLP
     they have access to.
    (
    Strata Cloud Manager
    ) Identity and access management for
    Enterprise DLP
     is controlled through Common Services. You can assign a predefined or custom role for
    All Apps & Services
     active on your
    Strata Cloud Manager
     tenant, a role for the
    Enterprise DLP
     app, or assign a role for both. When a user is assigned a role for both
    All Apps & Services
     and the
    Enterprise DLP
     app, the access privileges granted by the app-specific role take priority over the access privileges granted by the
    All Apps & Services
     role.
    For example, you have both
    Prisma Access (Managed by Strata Cloud Manager)
     and
    Enterprise DLP
     active on your tenant. For
    Prisma Access
    , you assign a user the
    View Only Administrator
     role. Later, you assign the same user the
    DLP Policy Manager
     for
    Enterprise DLP
    . In this instance, the user has read-only access to
    Prisma Access (Managed by Strata Cloud Manager)
     but both read and write access to the majority of
    Enterprise DLP
     for configuration purposes.
    (
    Panorama
    ) Role based access to
    Enterprise DLP
     is defined using a custom
    Panorama
     admin role associated with a
    Panorama
     administrator account. The admin role defines the system access available to the particular admin. If your
    Panorama
     administrator already has an admin role associated with their admin account, you can update it to define granular access privileges
    Enterprise DLP
    . If you want to grant access to only
    Enterprise DLP
    , you can
    Disable
     all other UI nodes except for those describes below.

    Strata Cloud Manager

    Configure role-based access for
    Enterprise Data Loss Prevention (E-DLP)
     on
    Strata Cloud Manager
    .
    Strata Cloud Manager
     supports the following roles to grant access privileges for the
    Enterprise DLP
     app specifically.
    Predefined
    Enterprise DLP
     Role
    Privileges
    DLP Incident Manager
    Read and Write Access
     — Alerts, Incidents, health and telemetry, reports, and Audit Logs
    Read Only Access
    —Data patterns, profiles, DLP Rules, EDM data sets, OCR setting, and all DLP settings
    DLP Policy Manager
    Read and Write Access
     — Data patterns, profiles, DLP Rules, EDM data sets, OCR setting, health and telemetry, audit logs, alerts, and all DLP settings
    No Access
    — Incidents and reports
    Multitenant Superuser
    Full read and write privileges to
    Enterprise DLP
     for all tenants in the particular multitenant hierarchy where the role is assigned
    Superuser
    Full read and write privileges for
    Enterprise DLP
    View Only Administrator
    Read-only privileges for
    Enterprise DLP
    1. Use one of the various ways to access
      Identity & Access
      .
    2. Add Access to your tenant where
      Enterprise DLP
       is active.
      This step is required only if the user for which you’re granting
      Enterprise DLP
       access isn’t already registered with the Palo Alto Networks Customer Support Portal (CSP).
    3. You can use custom roles allow to define which permissions are enforced for your users and allow more granular access control to
      Enterprise DLP
       than predefined roles.
      The access permissions applied to the
      Data Loss Prevention
       parent node determines the lowest access privilege you can assign to any of its child node. For example, if you want provide
      No Access
       and
      Read Only
       to some areas of
      Enterprise DLP
      , you must first assign
      No Access
       to the
      Enterprise DLP
       application.
      Below is an example of a custom
      Enterprise DLP
       role. The custom role is configured with no access privileges to Audit Logs or any of the
      Enterprise DLP
       settings. However, read-only access is configured for the Health & Telemetry and DLP Incidents, and full read and write privileges are configured for Data Profiles, all Detection Methods, Document Types, and DLP Rules.
    4. Assign role-based access for
      Enterprise DLP
      .
      You don’t need to configuring a tenant role for a user if access to only
      Enterprise DLP
       is required.
      1. Select
        User
         and for the
        Identity Address
        , enter the email address for which you granted access in the previous step.
      2. For
        Apps & Services
        , select
        Enterprise DLP
        .
      3. Select a predefined or custom
        Enterprise DLP
        Role
        .
      4. Submit
        .
    5. Continue based on your
      Enterprise DLP
       access privileges.

    Panorama

    Configure role-based access for
    Enterprise Data Loss Prevention (E-DLP)
     on your
    Panorama™ management server
    .
    Panorama
     allows you to define 1 of 3 different access privileges for any given UI node:
    • Enable
      —Admin has full read and write access.
    • Read Only
      —Admin has read only access. Admin cannot make any configuration changes.
    • Disable
      —Admin has no access to the UI node and it is not displayed in the
      Panorama
       web interface when they are logged into
      Panorama
      .
    1. Log in to the
      Panorama
       web interface.
      An administrator with access privileges to create an admin role and commit to
      Panorama
       is required.
    2. Select
      Panorama
      Admin Roles
       and
      Add
       a new admin role.
      If you want to modify an existing admin role, select that admin role instead of creating a new one. Only one admin role profile can be associated with an administrator account.
    3. Configure the
      Enterprise DLP
       admin role.
      1. Enter a descriptive
        Name
         for the admin role.
      2. For the
        Role
        , select
        Panorama
        .
      3. In the
        Web UI
        , define the
        Enterprise DLP
         access privileges you want to grant the Panorama administrator.
        • Monitor
          Logs
          Data Filtering
          —Access privileges to data filtering logs. You must
          Enable
           or give
          Read Only
           access to data filtering logs to allow the administrator to view
          Enterprise DLP
           log details.
        • Objects
          Custom Objects
          Data Patterns
          —Access privileges to
          Enterprise DLP
           data patterns.
        • Objects
          Security Profiles
          Data Filtering
          —Access privileges to
          Enterprise DLP
           data profiles.
        • Device
          Setup
          —To grant read and write access to the
          Enterprise DLP
           data filtering and Cloud Content settings, you must enable read and write access to the
          Content-ID
           tab and disable access for the remaining settings.
        • Panorama
          Plugins
          —Access privileges to upgrade the
          Enterprise DLP
           plugin on
          Panorama
           and read and write access to the
          Enterprise DLP
           snippets settings.
          If you have other
          Panorama
           plugins installed, this will enable access to those configuration nodes in the
          Panorama
           tab as well.
      4. Configure any additional admin role access privileges as needed.
        For example, you can enable
        Push All Changes
        ,
        Commit
        Panorama
        , and
        Tasks
         to allow the administrator to commit and push
        Enterprise DLP
         changes from
        Panorama
         to managed firewalls and then view the job status in the Task Manager.
      5. Click
        OK
        .
    4. Create an
      Enterprise DLP
       administrator account.
      Skip this step if you modified an existing admin role already associated with an administrator account.
      1. Select
        Panorama
        Administrator
         and
        Add
         a new administrator.
      2. Enter a descriptive
        Name
         for the
        Enterprise DLP
         administrator account.
      3. Configure the authentication method for the administrator account using one of the following methods.
        • Enter the
          Password
           and
          Confirm Password.
        • Check (enable)
          Use Public Key Authentication
           and click
          Import Key
           to import the SSH key.
      4. For the
        Administrator Type
        , select
        Custom Panorama Admin
        .
      5. For the
        Profile
        , select the admin role you created in the previous step.
      6. Click
        OK
        .
    5. Select
      Commit
      Commit to Panorama
       and
      Commit
      .
    6. Verify the
      Enterprise DLP
       administrator account is correctly configured.
      In this example, access to the data filtering logs, data patterns, data profiles, and the plugin tabs are enabled.
      1. Log in to the
        Panorama
         web interface using the
        Enterprise DLP
         administrator account you created in the previous step.
      2. Select
        Monitor
         and confirm only the
        Data Filtering
         logs are displayed.
      3. Select
        Objects
        DLP
         and confirm that
        Data Filtering Profiles
         and
        Data Filtering Patterns
         are displayed and configurable.
        Custom Objects
         and
        Security Profiles
         are also displayed but the
        Enterprise DLP
         is not able to configure these.
      4. Select
        Device
        Setup
         and confirm only the
        Content-ID
         and
        DLP
         tabs are displayed and configurable.
      5. Select
        Panorama
        DLP
         and confirm that the
        Enterprise DLP
        Configuration
         settings are displayed and configurable.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.