>
    Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enable Role Based Access
    4. Strata Cloud Manager
    Download PDF
    Enterprise DLP

    Strata Cloud Manager

    Table of Contents

    Strata Cloud Manager

    Configure role-based access for Enterprise Data Loss Prevention (E-DLP) on Strata Cloud Manager.
    Strata Cloud Manager supports the following roles to grant access privileges for the Enterprise DLP app specifically. Review the predefined roles and permissions available on Strata Cloud Manager for details.
    Predefined Role
    Privileges
    Data Security Admin
    For All Apps & Services
    Full read and write to Enterprise DLP and Data Security (SaaS API).
    This role also includes access to Strata Logging Service logs, dashboards, create custom dashboards, and download, share, and schedule reports. Includes read-only access to logs. This role includes a small subset of privileges included in the Security Admin role. Assign this role to administrators who manage only decryption rule configurations.
    DLP Incident Manager
    For Enterprise DLP only
    Read and Write AccessData Risk dashboard and settings, Data Asset Explorer, Incidents, Health & Telemetry, Audit Logs
    Read Only Access—Data patterns, profiles, DLP Rules, EDM data sets, OCR setting, and all DLP settings
    DLP Policy Manager
    For Enterprise DLP only
    Read and Write Access — Data patterns, profiles, DLP Rules, EDM data sets, OCR setting, health and telemetry, audit logs, alerts, and all DLP settings
    No Access— Incidents and reports
    Multitenant Superuser
    For All Apps & Services or Enterprise DLP
    Full read and write privileges to Enterprise DLP for all tenants in the particular multitenant hierarchy where the role is assigned
    Superuser
    For All Apps & Services or Enterprise DLP
    Full read and write privileges for Enterprise DLP
    View Only Administrator
    For All Apps & Services or Enterprise DLP
    Read-only privileges for Enterprise DLP
    1. Log in to Strata Cloud Manager.
    2. Use one of the various ways to access Identity & Access.
    3. Add Access to your tenant where Enterprise DLP is active.
      This step is required only if the user for which you’re granting Enterprise DLP access isn’t already registered with the Palo Alto Networks Customer Support Portal (CSP).
    4. Select Prisma Access & NGFW ConfigurationManageConfigurationSecurity ServicesData Loss Prevention and configure the custom role.
      You can use custom roles allow to define which permissions are enforced for your users and allow more granular access control to Enterprise DLP than predefined roles.
      The access permissions applied to the Data Loss Prevention parent node determines the lowest access privilege you can assign to any of its child nodes. For example, if you want to provide No Access and Read Only to some areas of Enterprise DLP, you must first assign No Access to the Enterprise DLP application.
      Below is an example of a custom Enterprise DLP role. The custom role is configured with no access privileges to Audit Logs or any of the Enterprise DLP settings. However, read-only access is configured for the Health & Telemetry and DLP Incidents, and full read and write privileges are configured for Data Profiles, all Detection Methods, Document Types, and DLP Rules.
      • Enterprise DLP RBAC Mapping
        The mapping below maps the Enterprise DLP RBAC permissions to the Enterprise DLP configuration in Strata Cloud Manager.
        Review the list of predefined Enterprise DLP roles to grant a user access to the Data Risk and Data Asset Explorer dashboards.
        • Audit LogManageConfigurationData Loss PreventionAudit Log
        • Data ProfilesManageConfigurationData Loss PreventionData Profiles
        • Detection Methods—All detection methods in ManageConfigurationData Loss PreventionDetection Methods
          • Data PatternsManageConfigurationData Loss PreventionDetection MethodsData Patterns
          • Exact Data MatchingManageConfigurationData Loss PreventionDetection MethodsExact Data Matching
          • Optical Character RecognitionManageConfigurationData Loss PreventionDetection MethodsOptical Character Recognition
        • Health & TelemetryManageConfigurationData Loss PreventionHealth & Telemetry
        • Document TypesManageConfigurationData Loss PreventionDocument Types
        • DLP IncidentsManageConfigurationData Loss PreventionDLP Incidents
        • DLP RulesManageConfigurationData Loss PreventionDLP Rules
        • Settings—All Enterprise DLP settings in ManageConfigurationData Loss PreventionSettings
          • AlertsManageConfigurationData Loss PreventionSettingsAlerts
          • API Tokens—N/A; deprecated.
          • Data Filtering—N/A; deprecated.
          • Data TransferManageConfigurationData Loss PreventionSettingsData Transfer
          • Sensitive DataManageConfigurationData Loss PreventionSettingsSensitive Data
    5. Configure access privileges to allow a data security administrator to create End User Coaching notification templates.
      End User Coaching enables Enterprise DLP to display notifications to your end users when they generate an Enterprise DLP or Endpoint DLP incident. The end user notification template defines which DLP rules generate a notification and the contents of the notification.
      Select Prisma Access & NGFW ConfigurationManageObjects and configure the access privileges for User Coaching Notification Templates.
    6. Assign role-based access for Enterprise DLP.
      You don’t need to configuring a tenant role for a user if access to only Enterprise DLP is required.
      1. Select User and for the Identity Address, enter the email address for which you granted access in the previous step.
      2. For Apps & Services, select Enterprise DLP.
      3. Select a predefined or custom Enterprise DLP Role.
      4. Submit.
    7. Continue based on your Enterprise DLP access privileges.

    © 2025 Palo Alto Networks, Inc. All rights reserved.