>
    Strata Copilot
    The Prisma Access Browser Enterprise Password Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Browser
    3. Prisma Access Browser Administration
    4. The Prisma Access Browser Enterprise Password Manager
    Download PDF
    Prisma Access Browser

    The Prisma Access Browser Enterprise Password Manager

    Table of Contents

    The Prisma Access Browser Enterprise Password Manager

    The information that everyone needs about the browser.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Prisma Access Browser standalone
    • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
    • Superuser or Prisma Access Browser role
    Password-related breaches remain a major risk in enterprise environments. The Prisma® Access Browser introduces centralized password management to enforce secure handling of credentials.
    Built-in browser managers lack enterprise features like policy rule controls, access management, encryption, and audit logging. Extensions add functionality but increase the attack surface and are vulnerable to user tampering.
    Integrating password management with existing identity and access systems adds complexity and cost. As a result, many organizations avoid standardization, leading to insecure practices such as password reuse, and unauthorized credential sharing.

    The Prisma Access Browser Enterprise Password Manager

    To address these challenges, we developed the Enterprise Password Manager as a first-party solution, purpose-built to meet the needs, and tightly integrated with Prisma® Access Browser. The solution supports complex enterprise requirements by enabling robust security controls, seamless policy rule enforcement, and a streamlined user experience.

    Key Features

    Password Manager - User Guide

    Click here to go directly to the Admin Guide.

    Password Manager Inventory

    The Password Manager in Prisma Access Browser enables users to securely store, manage, and use credentials for applications not integrated with the organization's identity provider.
    The main page of the Password Manager is the Inventory page, where you can manage, create, edit, or remove logins.
    You can open the inventory in the following ways:
    • Click the Prisma Access Browser icon → Password Manager.
    • Click Settings → Password and Autofill → Password Manager.
    • Open the Password Manager from one of the dialogs opened by the Browser when saving and updating or viewing passwords on a website.
    • Click on the Password Manager key icon on the Browser sidebar.
    • Navigate to prisma://password-manager/
    When you open the Password Manager, it displays the list of available logins.
    If you previously used the Legacy Password Manager in Prisma Access Browser, the system migrates your logins automatically to the Enterprise Password Manager.
    If no logins exist, the Password Manager shows an empty state screen.

    Login Types

    PAB Password Manager supports two types of logins - personal and managed.
    Personal Logins
    • For personal use, credentials are encrypted and stored locally on the user's device.
    • These credentials are synchronized across all devices where PAB is installed.
    • Personal credentials are presented in the inventory without an icon
    Managed Logins
    • Used for sharing and administrator-managed logins, these credentials are securely stored within the company vault managed through CIE
    • Access to these credentials is provided just-in-time, following successful multi-factor authentication. They are encrypted both during transit and at rest, and are never cached locally on the device.
    • Managed logins are indicated by the following icons:
      • - The user is the owner or has full access permissions to this login
      • - The user has partial access permissions to this login
      Permissions
      Managed logins are shared between users or by admins giving target users one of the following permissions:

    Create a Login

    You can manually create logins through the Password Manager Inventory.
    To create a login manually, open the Inventory and click “Create login.” Enter the required details:
    • Username for the application (optional).
    • Password for the application (mandatory).
    • URL of the application that triggers the Password Manager to suggest this login (mandatory).
    • Note describing the login (optional).

    Manage Logins

    Click a login to open its details pane, where you can view, edit, and manage the entry.
    The browser may prompt you for a step-up MFA (PIN code or passkey) based on your admin policy rule before revealing login details.
    Personal logins allow you to see the following information:
    Managed logins also display the users with which they were shared:
    Some of the options are greyed out for Limited Access logins. These are Use only or Use and View.
    You can view the details of a login using the available options:
    • Click the reveal or copy icons to view or copy the username or password (if allowed).
    • Click the arrow icon to open the URL associated with the login.
    • Click Edit to change the login details.
      The Name field is only available for Managed logins.
    • Click Delete to remove the login from the inventory (if allowed). Make sure you have another way to access the website before deleting a login.
    Make sure that you have a way to access the website before deleting a login!
    Deleting a Shared/Managed login will delete it from all shared users!

    Share a Login

    A personal login or a login with full access permissions can be shared with other users or groups if allowed by policy.
    • Open the details of a login
    • Click the “Shared access” tab
    • If the login is a personal login - you will first need to enable sharing. This moves the login from the local store in the browser to the vault, turning it into a managed login
    • Once a login is managed, the user can share it with other users.
      1. Search for the user or groups that the password should be shared with.
      2. Select the Permissions.
    • Once a login is shared, you can manage the granted permissions in the Shared Access tab.
      • You can then share the login to additional users or groups.
      • You can also change the access permissions or revoke the access entirely.
    Role Precedence
    A user's effective role for a shared login is determined by this order of precedence:
    1. A directly assigned role for that specific login takes highest precedence, overriding all group permissions.
    2. If no explicit user role is set, the widest permission from all groups the user belongs to is applied.
    3. If neither an explicit user role nor group permissions are found, no specific role is assigned (typically resulting in no access).

    Password Generator

    The Enterprise Password Manager includes a built-in password generator, accessible from the inventory page. This tool helps create strong, difficult-to-crack passwords.
    1. Navigate to the Inventory and click Password Generator.
    2. Choose your desired password characteristics.
    3. The generated password is displayed. Click to copy it to your clipboard.
    4. Paste the password when creating or updating account passwords or websites.

    Import Logins

    You can import logins from a third-party browser or password manager by following these steps:
    1. Navigate to the Inventory and click Import.
    2. Select the source for the import.
    3. Export your logins from the source as a CSV file, following the provided instructions.
    4. Choose the CSV file to import your logins into the Prisma Access Browser Password Manager.

    Settings

    Click the Settings tab to enable or disable the Password Manager for your browser or to import logins frm another browser or third-party Password Managers.

    Password Manager Interactions

    The Password Manager automatically appears when it detects an available login for a URL or when you save or update a password for that URL.

    Save a Login

    When you register on a site or log in to a URL that the Password Manager does not recognize, it prompts you to save a new login to the Prisma Access Browser Enterprise Password Manager.
    Click Login details to add more information to the login.
    If you missed or closed the dialog by mistake, you can get back to it by clicking the key icon.

    Update a Login

    When you update a password in the Prisma Access Browser Enterprise Password Manager, the system prompts you to save the changes.
    If you miss the prompt, click the key icon in the omnibox to reopen it.

    Use a Login

    If there is a key icon in the omnibox, this means that there are saved logins for the current site.
    Click it to see the logins available on the site.
    Click on the icon to view the logins. You can drill down to see the details.
    The browser might prompt you for a step-up MFA (PIN code or passkey) based on your admin policy rule when you reveal login details.
    When you focus on an input field in a login form on a URL with an available login, the Password Manager suggests matching logins and enables you to autofill them.
    To autofill the login, the browser can also require a step-up MFA based on your admin policy rule.
    If the kogin is shared with "Use Only" permissions, users will not be able to reveal the value of the password.
    Additionally, when a "Use Only" password is used, the Developer tools are automatically blocked.

    Profile Sync

    he Password Manager automatically syncs personal logins across user devices when you sign in with the same credentials.
    Managed logins don’t rely on this mechanism and are obtained from the vault on demand after MFA authentication.
    This sync functionality works only if you enable profile sync in the Browser Customization → Profile sync policy rule settings.
    The Password Manager officially supports desktop devices (Windows and macOS). It also syncs passwords to the mobile Password Manager where sync is supported.

    Prisma Access Browser Enterprise Password Manager - Admin Guide

    Policy Rule

    The Password Manager is managed in the Browser Security -> Saved Data -> Password Manager control.
    The default value of the control is Enabled, with MFA enabled on a 5-minute timeout.
    The Password Manager can be enabled or disabled.
    When it is disabled, the Password Manager pop-ups do not display, and the inventory will be disabled.

    Multi-factor Authentication

    The system can require users to complete a step-up MFA based on policy rule when performing actions that involve retrieving a login, such as:
    • Opening a login from the Inventory
    • Viewing login details through the omnibox pop-up
    • Autofilling a login form
    After a successful step-up MFA, the system won’t prompt again for a defined interval (5 minutes by default).
    Administrators can enable or disable step-up MFA for all logins stored in the Password Manager by configuring the Password Manager policy rule control. They can also adjust the MFA Prompt Interval setting it to always prompt, or to a shorter or longer interval than the default.
    You can configure the MFA factor in Browser Security → Authentication Factor. PAB currently supports local PIN and Passkey authentication. Click here for more information.

    Managed Logins

    Initially, no vault is configured, and the Company Vault option is disabled.
    To enable managed logins, you must first create a vault within the Cloud Identity Engine (CIE) console. Access the CIE console by clicking the tenant icon and selecting "Cloud Identity Engine."
    Navigate to Secrets Vault and create a new Vault.
    Back in the PAB “Password Manager” control - you should now be able to enable managed logins in one of two modes:
    • Use and share - Allows users to both use managed logins and share new ones.
    • Use only - Allows users to use logins but not to share them.
    This policy can dynamically be applied based on user group, device posture, network or location as per the scope of the rule.
    When Use only is picked - managed logins can still be used and edited, but the Shared Access tab is disabled.
    If managed logins are shared with a user who is not allowed to use them by policy - they are disabled in the inventory and cannot be used on websites.

    Disable Personal Login

    You can disable the “Personal store” option to prevent users from creating and managing their own private logins within the password manager. This control is beneficial when users should access only corporate-managed logins sent to them by administrators or managers, rather than using the tool as a general-purpose password manager. Common use cases include contractors and call center users. The system can dynamically apply this policy based on the rule's scope, including user group, device posture, network, or location.
    Personal logins can only be disabled if managed logins are enabled.
    When disabled, users cannot create new logins, if they had personal logins - those will be disabled and can no longer be managed or used on websites.

    Events

    The Prisma Access Browser Enterprise Password Manager logs all actions that users perform within the manager, including:
    • Login created - The system logs when a user adds a login through the Inventory or the Save Login pop-up.
    • Login deleted - The system logs when a user deletes a login through the Inventory.
    • Login details changed - The system logs changes to a login’s details, including metadata or the password value.
    • Login retrieved - The system logs when a user retrieves a login by autofilling it or by using the eye icon or copy button to view or copy the credentials.
    You can view these events in the Prisma Access Browser Event log under the new Password Manager category.
    The system can forward these events to your organization's SIEM/SOC. You can then correlate them with other activity – such as login attempts, failed logins, or browsing events – to build a complete timeline around credential usage.

    Manage Logins in the CIE Vault

    The CIE secrets vault stores the managed logins - and allows administrators that have the necessary RBAC roles in CIE to:
    • Administer managed logins - Browse, edit details, share, revoke access.
    • Create admin-managed logins that will appear in the PAB password manager for users.
    Navigate to your CIE console by clicking the tenant icon and choose Cloud Identity Engine.
    Navigate to Secrets Vault.
    Collections are not supported.
    Detailed CIE documentation can be found here.

    © 2025 Palo Alto Networks, Inc. All rights reserved.