>
    Strata Copilot
    Remove Plugin Access for a Tenant-Level Administrative User
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Multi-Tenancy
    5. Control Role-Based Access for Tenant-Level Administrative Users
    6. Remove Plugin Access for a Tenant-Level Administrative User
    Download PDF
    Prisma Access

    Remove Plugin Access for a Tenant-Level Administrative User

    Table of Contents

    Remove Plugin Access for a Tenant-Level Administrative User

    Learn how to remove plugin access for a tenant-level administrative user.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama)
    • For information about managing multiple tenants in Prisma Access (Managed by Strata Cloud Manager), see Prisma SASE.
    In normal multitenant configurations, you use access domains Add Tenants to Prisma Access and associate each access domain with a tenant. To prevent a tenant-level administrative user from viewing or making configuration changes to Prisma Access, you create an access domain, but you do not associate it with a tenant.
    Because you associated the access domain to the device groups and template stacks for the tenant, the tenant-level administrative user has RBAC access at the tenant level and is able to perform configuration for that tenant only. Because you did not associate the access domain with a tenant in Prisma Access, the access domain is unable to view the Cloud Services plugin, which provides access to Prisma Access. In this way, you create a user who can perform tenant-level configuration tasks without being able to access, view, or make configuration changes to Prisma Access.
    To remove Prisma Access for an administrative-level user, complete the following task.
    This task assumes that you have Add Tenants to Prisma Access templates, template stacks, and device groups for the tenant; you’ll be associating them to the tenant-level administrative user.
    1. Create an administrative role with a type of Device Group and Template.
      1. Select PanoramaAdmin Roles.
      2. Add an Admin Role Profile with a Role of Device Group and Template.
      3. Click OK.
        You can create a single Admin Role Profile and share it across multiple tenants.
    2. Select PanoramaAccess Domain and Add an Access Domain.
    3. Specify the Device Groups and Templates associated with the tenant.
      If you created any device groups that are children or grandchildren of other device groups under the Shared parent device group, select only the device group at the lowest hierarchical level (child or grandchild); do not select the parent or you will have errors on commit.
    4. Create and configure an Administrator for the tenant-level administrative user, specifying the Access Domain you just created.
      1. Select PanoramaAdministrators.
      2. Add an Administrator.
      3. Enter and confirm a Password for the new Administrator.
      4. Specify an Administrator Type of Device Group and Template Admin.
      5. Specify the Access Domain that is associated with the device groups for that tenant.
      6. Specify the Admin Role that you created in Step 1 for the tenant.
        When you complete this example, the abcd-tenant-no-plugin-access Administrative user will have permissions based on what you defined in the Admin Role profile, but will not be able to view or configure the Cloud Services plugin (including Prisma Access). Note, however, that they will not be able to push any changes that they make to the cloud.
    5. Select CommitCommit to Panorama and Commit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.