Manage Device Security Users
Focus
Focus
Device Security

Manage Device Security Users

Table of Contents

Manage Device Security Users

Learn about and manage Device Security users with role-based access control (RBAC).
Where Can I Use This?What Do I Need?
  • Device Security (Managed by Strata Cloud Manager)
  • (Legacy) IoT Security (Standalone portal)
One of the following subscriptions:
  • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
  • Device Security X subscription
Role-based access control (RBAC) enables you to assign privileges and access rights to administrative users through role assignment. Create user accounts in the Customer Support Portal, and assign them roles. In some cases, you can also limit the data that users can access by site. For step-by-step instructions about creating users for Device Security, see Create Device Security Users.
Device Security supports the following user roles:
  • App Administrator
  • Instance Administrator
  • (Legacy) IoT Security portal Owner
  • (Legacy) IoT Security portal Administrator
  • (Legacy) IoT Security portal Read-only
  • Strata Cloud Manager Superuser
  • Strata Cloud Manager View-only Administrator
The App Administrator and Instance Administrator are common roles that are available to every Palo Alto Networks product application. For Device Security, they provide the same privileges as Owner. To learn more about them, see Available Roles.
The three user roles specifically for the Device Security portal are Owner, Administrator, and Read-only.
The two user roles specifically for Device Security in Strata Cloud Manager are Superuser and View-only Administrator.
User Role Role DefinitionAccess Control
(Legacy) IoT Security portal Owner
Strata Cloud Manager Superuser
(Also App Administrator and Instance Administrator)
Access to all functions in the Device Security portal
All read/write privileges as administrators plus:
  • Set a global idle timeout
  • Change the device-to-site assignment method from one based on firewall locations to one based on IP addresses
  • View audit logs for all users
  • Set scanning permissions per administrator account
  • Control which sites users with administrator and read-only privileges can access
  • Control who receives notifications of security alerts and system alerts
(Legacy) IoT Security portal Administrator
Strata Cloud Manager Superuser
Access to most functions in the Device Security portal
Create, edit, and delete Device Security configurations and manage their own account preferences:
  • See their own user role and list of sites they can access
  • Create, download, and delete API access keys
  • Update contact info
  • Modify their login preference if accessing multiple deployments
  • Shorten the idle timeout
  • Enable and disable alert sounds
  • Enable and disable alert notifications via SMS and email
  • Manage their own user account preferences
  • See the audit log for their own activities
(Legacy) IoT Security portal Read-only
Strata Cloud Manager View-only Administrator
Can only view data in the Device Security portal
  • View Device Security data for the sites they can access
  • Manage their own user account preferences
  • See the audit log for their own activities
For Panorama managed Prisma Access tenants with an Device Security add-on license, add the following types of users to give them access privileges to both Prisma Access and Device Security:
Prisma® SASE Platform User RolesDevice Security User Roles
Superuser, MSP SuperuserOwner
N.A.Administrator*
View Only AdministratorRead-only
* There is no user role in Prisma SASE that maps to the Administrator role in Device Security.
For new Panorama managed Prisma Access customers as of August 2022, or an existing Panorama managed Prisma Access customer whose Prisma Access instance transitioned to the Prisma SASE platform, use Common Services: Identity & Access for managing user access, roles, and service accounts.
For existing Panorama managed Prisma Access customers whose Prisma Access instance has not yet transitioned to the Prisma SASE Platform, you can continue using the existing process to create administrative users until the transition completes.