>
    Strata Copilot
    Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enable Role Based Access
    4. Strata Cloud Manager
    Download PDF
    Enterprise DLP

    Strata Cloud Manager

    Table of Contents

    Strata Cloud Manager

    Configure role-based access for Enterprise Data Loss Prevention (E-DLP) on Strata Cloud Manager.
    Enterprise DLP supports two types of role-based access to control and grant access:
    • Predefined Roles—The predefined roles and permissions available on Strata Cloud Manager.
      A role labeled For All Apps & Services grants access Privileges for every app and service available on the tenant.
      A role labeled For Enterprise DLP only provides access Privileges specifically for Enterprise DLP.
      A role labeled For All Apps & Services or Enterprise DLP grants access privileges to all apps and services available on the tenant or to Enterprise DLP specifically.
    • Custom Roles—A customized user role with specific access privileges to Enterprise DLP that you define.
      Custom roles are specific to the tenant where they are created. In a multi-tenant Tenant Service Group (TSG) hierarchy, custom roles created at the parent level are not inherited and cannot be used by a child tenant. Custom roles created at the parent tenant level display in the list of available child tenant custom roles but they will not grant access to Enterprise DLP.
      You must create the required custom role for the specific child tenant you want to a user access to.
    Predefined Role
    Privileges
    Data Security Admin
    For All Apps & Services
    Full read and write to Enterprise DLP and Data Security (SaaS API).
    This role also includes access to Strata Logging Service logs, dashboards, create custom dashboards, and download, share, and schedule reports. Includes read-only access to logs. This role includes a small subset of privileges included in the Security Admin role. Assign this role to administrators who manage only decryption rule configurations.
    DLP Incident Manager
    For Enterprise DLP only
    Read and Write AccessData Risk dashboard and settings, Data Asset Explorer, Incidents, Health & Telemetry, Audit Logs
    Read Only Access—Data patterns, profiles, DLP Rules, EDM data sets, OCR setting, and all DLP settings
    DLP Policy Manager
    For Enterprise DLP only
    Read and Write Access — Data patterns, profiles, DLP Rules, EDM data sets, OCR setting, health and telemetry, audit logs, alerts, and all DLP settings
    No Access— Incidents and reports
    Multitenant Superuser
    For All Apps & Services or Enterprise DLP
    Full read and write privileges to Enterprise DLP for all tenants in the particular multitenant hierarchy where the role is assigned
    Superuser
    For All Apps & Services or Enterprise DLP
    Full read and write privileges for Enterprise DLP
    View Only Administrator
    For All Apps & Services or Enterprise DLP
    Read-only privileges for Enterprise DLP
    1. Log in to Strata Cloud Manager.
    2. Use one of the various ways to access Identity & Access.
    3. Add Access to your tenant where Enterprise DLP is active.
      This step is required only if the user for which you’re granting Enterprise DLP access isn’t already registered with the Palo Alto Networks Customer Support Portal (CSP).
    4. Select Prisma Access & NGFW ConfigurationManageConfigurationSecurity ServicesData Loss Prevention and configure the custom role.
      You can use custom roles allow to define which permissions are enforced for your users and allow more granular access control to Enterprise DLP than predefined roles.
      The access permissions applied to the Data Loss Prevention parent node determines the lowest access privilege you can assign to any of its child nodes. For example, if you want to provide No Access and Read Only to some areas of Enterprise DLP, you must first assign No Access to the Enterprise DLP application.
      Below is an example of a custom Enterprise DLP role. The custom role is configured with no access privileges to Audit Logs or any of the Enterprise DLP settings. However, read-only access is configured for the Health & Telemetry and DLP Incidents, and full read and write privileges are configured for Data Profiles, all Detection Methods, Document Types, and DLP Rules.
      • Enterprise DLP RBAC Mapping
        The mapping below maps the Enterprise DLP RBAC permissions to the Enterprise DLP configuration in Strata Cloud Manager.
        Review the list of predefined Enterprise DLP roles to grant a user access to the Data Risk and Data Asset Explorer dashboards.
        • Audit LogConfigurationData Loss PreventionAudit Log
        • Data ProfilesConfigurationData Loss PreventionData Profiles
        • Detection Methods—All detection methods in ConfigurationData Loss PreventionDetection Methods
          • Data PatternsConfigurationData Loss PreventionDetection MethodsData Patterns
          • Exact Data MatchingConfigurationData Loss PreventionDetection MethodsExact Data Matching
          • Optical Character RecognitionConfigurationData Loss PreventionDetection MethodsOptical Character Recognition
        • Health & TelemetryConfigurationData Loss PreventionHealth & Telemetry
        • Document TypesConfigurationData Loss PreventionDocument Types
        • DLP IncidentsConfigurationData Loss PreventionDLP Incidents
        • DLP RulesConfigurationData Loss PreventionDLP Rules
        • Settings—All Enterprise DLP settings in ConfigurationData Loss PreventionSettings
          • AlertsConfigurationData Loss PreventionSettingsAlerts
          • API Tokens—N/A; deprecated.
          • Data Filtering—N/A; deprecated.
          • Data TransferConfigurationData Loss PreventionSettingsData Transfer
          • Sensitive DataConfigurationData Loss PreventionSettingsSensitive Data
    5. Configure access privileges to allow a data security administrator to create End User Coaching notification templates.
      End User Coaching enables Enterprise DLP to display notifications to your end users when they generate an Enterprise DLP or Endpoint DLP incident. The end user notification template defines which DLP rules generate a notification and the contents of the notification.
      Select Prisma Access & NGFW ConfigurationManageObjects and configure the access privileges for User Coaching Notification Templates.
    6. Assign role-based access for Enterprise DLP.
      You don’t need to configuring a tenant role for a user if access to only Enterprise DLP is required.
      1. Select User and for the Identity Address, enter the email address for which you granted access in the previous step.
      2. For Apps & Services, select Enterprise DLP.
      3. Select a predefined or custom Enterprise DLP Role.
      4. Submit.
    7. Continue based on your Enterprise DLP access privileges.

    © 2026 Palo Alto Networks, Inc. All rights reserved.