For IT Enterprise and IT Enabled Services (ITES) companies that need to control which
users have access to their customer projects, Dynamic Privilege Access
provides a seamless, secure, and compartmentalized way for your users to access only
those projects that they are assigned to. These companies typically assign several
customer projects to employees and provide siloed access to these projects so that
so that an authorized user can access only one customer project at a time.
What Is Dynamic Privilege Access?
Dynamic Privilege Access is a feature in Prisma Access that provides dynamic
privileges for your users based on the workflow or project that your users select in
the Prisma Access Agent. Your users can have dynamic privileges based on the
combination of the user group and IP pool that is assigned to a project. This unique
combination defines a project. With Dynamic Privilege Access, you can isolate
resources in your network so that they are only accessible to your users according
to the projects they are assigned to.
A new predefined role called the Project Admin is available on
Prisma Access
to allow project administrators to
create and manage project definitions. Project administrators have the ability to
map projects to select Prisma Access location groups, and create IP address
assignments using DHCP based on the project and location group. Project
administrators can manage only the projects that they are assigned to in Strata
Cloud Manager.
When your end users log in to a Prisma Access Agent that is enabled for Dynamic
Privilege Access on their managed devices, the following workflow takes place:
Your end user selects a project that they are assigned to (for example,
Project 1).
Their identity is authenticated in Cloud Identity Engine, which maps the
user's user group to the project.
Upon successful authentication, and their user group matches the project
criteria set up by the project admin, the user has access to resources in
the network through project-specific settings for Project 1 and security
rules that provide security posture and access control on a per-project
basis. The security infrastructure applies security rules to restrict user
access to only the resources and applications belonging to that project.
Access to resources and applications from other projects isn't allowed.
When the user switches to a different project (for example, Project 2), they
are signed out of the previous project (Project 1). They can then access the
resources for the second project based on the project-specific settings and
security rules for that project.
You can gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity, and view the service
consumption and security posture in your network.