Prisma Access
Configure Dynamic Privilege Access Settings
Table of Contents
Configure Dynamic Privilege Access Settings
Learn about the Dynamic Privilege Access functionality in this section.
Where Can I Use This? | What Do I Need? |
|---|---|
|
For IT Enterprise and IT Enabled Services (ITES) companies that need to control which
users have access to their customer projects, Dynamic Privilege Access
provides a seamless, secure, and compartmentalized way for your users to access only
those projects that they are assigned to. These companies typically assign several
customer projects to employees and provide siloed access to these projects so that
so that an authorized user can access only one customer project at a time.
What Is Dynamic Privilege Access?
Dynamic Privilege Access is a feature in
Prisma Access
that provides dynamic
privileges for your users based on the workflow or project that your users select in
the Prisma Access Agent
. Your users can have dynamic privileges based on the
combination of the user group and IP pool that is assigned to a project. This unique
combination defines a project. With Dynamic Privilege Access, you can isolate
resources in your network so that they are only accessible to your users according
to the projects they are assigned to. A new predefined role called the
Project Admin
is available on
Prisma Access
to allow project administrators to
create and manage project definitions. Project administrators have the ability to
map projects to select Prisma Access
location groups, and create IP address
assignments using DHCP based on the project and location group. Project
administrators can manage only the projects that they are assigned to in Strata
Cloud Manager.
When your end users log in to a
Prisma Access Agent
that is enabled for Dynamic
Privilege Access on their managed devices, the following workflow takes place:- Your end user selects a project that they are assigned to (for example, Project 1).
- Their identity is authenticated in Cloud Identity Engine, which maps the user's user group to the project.
- Upon successful authentication, and their user group matches the project criteria set up by the project admin, the user has access to resources in the network through project-specific settings for Project 1 and security rules that provide security posture and access control on a per-project basis. The security infrastructure applies security rules to restrict user access to only the resources and applications belonging to that project. Access to resources and applications from other projects isn't allowed.
- When the user switches to a different project (for example, Project 2), they are signed out of the previous project (Project 1). They can then access the resources for the second project based on the project-specific settings and security rules for that project.
You can gain visibility into your
Prisma Access Agent
deployment by using Strata Cloud Manager
to monitor your users' project activity, and view the service
consumption and security posture in your network.