Enable Role Based Access
Focus
Focus
Enterprise DLP

Enable Role Based Access

Table of Contents

Enable Role Based Access

Configure role-based access for Enterprise Data Loss Prevention (E-DLP) to control administrative access.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Configure and assign administrative privileges to control access to Enterprise Data Loss Prevention (E-DLP). Role based access gives you granular control of who has access to Enterprise DLP and which aspects of Enterprise DLP they have access to.
(Strata Cloud Manager) Identity and access management for Enterprise DLP is controlled through Common Services. You can assign a predefined or custom role for All Apps & Services active on your Strata Cloud Manager tenant, a role for the Enterprise DLP app, or assign a role for both. When a user is assigned a role for both All Apps & Services and the Enterprise DLP app, the access privileges granted by the app-specific role take priority over the access privileges granted by the All Apps & Services role.
For example, you have both Prisma Access (Managed by Strata Cloud Manager) and Enterprise DLP active on your tenant. For Prisma Access, you assign a user the View Only Administrator role. Later, you assign the same user the DLP Policy Manager for Enterprise DLP. In this instance, the user has read-only access to Prisma Access (Managed by Strata Cloud Manager) but both read and write access to the majority of Enterprise DLP for configuration purposes.
(Panorama) Role based access to Enterprise DLP is defined using a custom Panorama admin role associated with a Panorama administrator account. The admin role defines the system access available to the particular admin. If your Panorama administrator already has an admin role associated with their admin account, you can update it to define granular access privileges Enterprise DLP. If you want to grant access to only Enterprise DLP, you can Disable all other UI nodes except for those describes below.

Strata Cloud Manager

Configure role-based access for Enterprise Data Loss Prevention (E-DLP) on Strata Cloud Manager.
Strata Cloud Manager supports the following roles to grant access privileges for the Enterprise DLP app specifically.
Predefined Enterprise DLP Role
Privileges
DLP Incident Manager
Read and Write Access — Alerts, Incidents, health and telemetry, reports, and Audit Logs
Read Only Access—Data patterns, profiles, DLP Rules, EDM data sets, OCR setting, and all DLP settings
DLP Policy Manager
Read and Write Access — Data patterns, profiles, DLP Rules, EDM data sets, OCR setting, health and telemetry, audit logs, alerts, and all DLP settings
No Access— Incidents and reports
Multitenant Superuser
Full read and write privileges to Enterprise DLP for all tenants in the particular multitenant hierarchy where the role is assigned
Superuser
Full read and write privileges for Enterprise DLP
View Only Administrator
Read-only privileges for Enterprise DLP
  1. Log in to Strata Cloud Manager.
  2. Use one of the various ways to access Identity & Access.
  3. Add Access to your tenant where Enterprise DLP is active.
    This step is required only if the user for which you’re granting Enterprise DLP access isn’t already registered with the Palo Alto Networks Customer Support Portal (CSP).
  4. Select Prisma Access & NGFWManageSecurity ServicesData Loss Prevention to add a custom role.
    You can use custom roles allow to define which permissions are enforced for your users and allow more granular access control to Enterprise DLP than predefined roles.
    The access permissions applied to the Data Loss Prevention parent node determines the lowest access privilege you can assign to any of its child node. For example, if you want provide No Access and Read Only to some areas of Enterprise DLP, you must first assign No Access to the Enterprise DLP application.
    Below is an example of a custom Enterprise DLP role. The custom role is configured with no access privileges to Audit Logs or any of the Enterprise DLP settings. However, read-only access is configured for the Health & Telemetry and DLP Incidents, and full read and write privileges are configured for Data Profiles, all Detection Methods, Document Types, and DLP Rules.
  5. Assign role-based access for Enterprise DLP.
    You don’t need to configuring a tenant role for a user if access to only Enterprise DLP is required.
    1. Select User and for the Identity Address, enter the email address for which you granted access in the previous step.
    2. For Apps & Services, select Enterprise DLP.
    3. Select a predefined or custom Enterprise DLP Role.
    4. Submit.
  6. Continue based on your Enterprise DLP access privileges.

Panorama

Configure role-based access for Enterprise Data Loss Prevention (E-DLP) on your Panorama™ management server.
Panorama allows you to define 1 of 3 different access privileges for any given UI node:
  • Enable—Admin has full read and write access.
  • Read Only—Admin has read only access. Admin cannot make any configuration changes.
  • Disable—Admin has no access to the UI node and it is not displayed in the Panorama web interface when they are logged into Panorama.
  1. Log in to the Panorama web interface.
    An administrator with access privileges to create an admin role and commit to Panorama is required.
  2. Select PanoramaAdmin Roles and Add a new admin role.
    If you want to modify an existing admin role, select that admin role instead of creating a new one. Only one admin role profile can be associated with an administrator account.
  3. Configure the Enterprise DLP admin role.
    1. Enter a descriptive Name for the admin role.
    2. For the Role, select Panorama.
    3. In the Web UI, define the Enterprise DLP access privileges you want to grant the Panorama administrator.
      • MonitorLogsData Filtering—Access privileges to data filtering logs. You must Enable or give Read Only access to data filtering logs to allow the administrator to view Enterprise DLP incidents.
      • ObjectsCustom ObjectsData Patterns—Access privileges to Enterprise DLP data patterns.
      • ObjectsSecurity ProfilesData Filtering—Access privileges to Enterprise DLP data profiles.
      • DeviceSetup—To grant read and write access to the Enterprise DLP data filtering and Cloud Content settings, you must enable read and write access to the Content-ID tab and disable access for the remaining settings.
      • PanoramaPlugins—Access privileges to upgrade the Enterprise DLP plugin on Panorama and read and write access to the Enterprise DLP snippets settings.
        If you have other Panorama plugins installed, this will enable access to those configuration nodes in the Panorama tab as well.
    4. Configure any additional admin role access privileges as needed.
      For example, you can enable Push All Changes, CommitPanorama, and Tasks to allow the administrator to commit and push Enterprise DLP changes from Panorama to managed firewalls and then view the job status in the Task Manager.
    5. Click OK.
  4. Create an Enterprise DLP administrator account.
    Skip this step if you modified an existing admin role already associated with an administrator account.
    1. Select PanoramaAdministrator and Add a new administrator.
    2. Enter a descriptive Name for the Enterprise DLP administrator account.
    3. Configure the authentication method for the administrator account using one of the following methods.
      • Enter the Password and Confirm Password.
      • Check (enable) Use Public Key Authentication and click Import Key to import the SSH key.
    4. For the Administrator Type, select Custom Panorama Admin.
    5. For the Profile, select the admin role you created in the previous step.
    6. Click OK.
  5. Select CommitCommit to Panorama and Commit.
  6. Verify the Enterprise DLP administrator account is correctly configured.
    In this example, access to the data filtering logs, data patterns, data profiles, and the plugin tabs are enabled.
    1. Log in to the Panorama web interface using the Enterprise DLP administrator account you created in the previous step.
    2. Select Monitor and confirm only the Data Filtering logs are displayed.
    3. Select ObjectsDLP and confirm that Data Filtering Profiles and Data Filtering Patterns are displayed and configurable.
      Custom Objects and Security Profiles are also displayed but the Enterprise DLP is not able to configure these.
    4. Select DeviceSetup and confirm only the Content-ID and DLP tabs are displayed and configurable.
    5. Select PanoramaDLP and confirm that the Enterprise DLP Configuration settings are displayed and configurable.
  7. Continue based on your Enterprise DLP access privileges.