Define Permissions for Accessing Privileged Remote Access Apps

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Activation & Onboarding
Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Set Up Privileged Remote Access Profiles

Configure Split Tunneling for Privileged Remote Access Traffic

Define Permissions for Accessing Privileged Remote Access Apps

Configure the permissions users and user groups need to access certain apps in the Privileged Remote Access portal.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama or Strata Cloud Manager)	Prisma Access 5.2.1 Minimum Prisma Access dataplane version: 11.2.4 Prisma Access license with a Mobile User subscription Privileged Remote Access add-on license

By default, no users can access any of the apps that you set up for Privileged Remote Access (PRA). You will need to explicitly grant permissions to the users or user groups to define who has access to which apps.

To define the permissions, you must:

Define the PRA policy rules that identify which users or user groups have access to which apps
Define a Security policy rule on the GlobalProtect gateway (Mobile User Security Processing Node (MU-SPN)) to allow traffic from a set of users or user groups to a set of destinations

To set up the permissions to enable PRA app access:

Configure app policies for PRA.
1. Go to WorkflowsPrivileged Remote AccessPRA Portal and Add an app policy.
  
  The App Policies table shows the policies that have been set up.
2. Add an app policy.
3. Enter a meaningful Name for the PRA policy.
  
  By default, the new policy is Enabled. If needed, you can disable it later in the App Policies table.
4. Specify the match criteria that define which users and user groups have access to which apps.
  Select at least one User, User group, or both, to associate to this policy.
  If you select a user, the User Groups field becomes optional. Similarly, if you select a user group, the Users field becomes optional.
  
  Select the Applications that you want to associate to this policy. Select at least one Application, Application group, or both, to associate to this policy.
  If you select an application, the Application Groups field becomes optional. Similarly, if you select an application group, the Applications field becomes optional.
5. Select a PRA Profile that for the apps in this policy. When the matching users access the apps in this policy, they will be able to perform the actions that are defined in the PRA profile.
6. Save your settings.
Define a Security policy rule to allow PRA traffic through the MU-SPNs so that your users can access the destination IP addresses or FQDNs for the PRA apps.