Strata Cloud Manager

1. Set up authentication for your Device Security users.

   • Palo Alto Networks SSO Add User Access Through Common Services
   • Third-party IdP SSO Manage Third-Party Identity Provider Integrations Through Common Services
     If you activated Device Security before June 2025 and use a third-party IdP SSO, you need to reconfigure your third-party IdP through Common Services to access Device Security in Strata Cloud Manager.
2. Create Device Security scopes through the Strata Cloud Manager Identity & Access Management.

   Navigate to System SettingsIdentity & Access ManagementScopes to view all scope objects within your TSG.

   Device Security scopes are defined using sites:

   • All
   • None
   • Custom Selection

   Administrators can use the Custom Selection option to grant users access to a subset of sites defined within Device Security. Selecting a site group or the organization will select all sites within that group. Users who have been granted access to a group will automatically be granted access to new sites within the group.
3. Assign a predefined role and scopes to a tenant user or service account through Strata Cloud Manager Identity & Access Management.

   Strata Cloud Manager uses Identity & Access Management to manage user roles and scopes. From the enterprise roles available in Identity & Access Management, Device Security supports the Superuser role and the View Only Administrator role.

   For customers transitioning from the Device Security portal to Device Security in Strata Cloud Manager, the Device Security user roles map to the following Strata Cloud Manager roles:

   • Owner -> Superuser
   • Administrator -> Superuser
   • Read-only -> View-only Administrator
4. Periodically review all users and roles with access to Device Security and remove user access through Common Services as needed.