. Use this method to manage
access to all Panorama components for tenant-level users, with the
exception of access to the Cloud Services plugin where you manage
Prisma Access.
If you want to restrict a tenant-level user
from configuring the Prisma Access components in Panorama, you cannot
use Admin Roles. To disallow users from configuring Prisma Access-specific
configuration tasks, you must prevent the user from
accessing the Cloud Services plugin, which also prevents
them from viewing it. Using this method, you can create an administrative
user for a security professional who has permissions to make changes
to security policies and push those changes to Panorama, but cannot
view or make any changes to Prisma Access configuration.
You
can either enable or disable access to the Cloud Services plugin
for a user, but you cannot give a user read-only access; if a user
has access to view the Cloud Services plugin, the user can also
make configuration changes to its components, including Prisma Access.
The
following table shows sample tenant-level administrative roles and
the steps you perform to create those roles.
any permissions that
you don’t want the tenant-level administrative user to have.
Create a security-focused user who:
Can
view and make changes to security policies
Can
commit to Panorama
Cannot view, or make changes to, the Cloud Services plugin
Cannot push configuration to Prisma Access (requires the superuser
to push the configuration)
To prevent a tenant-level administrative user
from viewing or accessing the plugin, remove plugin access
for a tenant-level administrator. For all other Panorama-related
permissions, change the Admin Role permissions for the user.
Create a hybrid user who:
Has read-only access
to the Cloud Services plugin
Has read-write access to the security policy
Cannot push the configuration to Prisma Access (requires the
superuser to push the configuration)
This configuration is not possible. You
cannot make the Cloud Services plugin read-only. You can only provide
access to admin users to view it and use it to make configuration
changes, or disallow them from viewing it.
Remove Plugin Access for a Tenant-Level Administrative User
In normal multitenant configurations, you
use access domains Add Tenants to Prisma Access and associate
each access domain with a tenant. To prevent a tenant-level administrative
user from viewing or making configuration changes to Prisma Access,
you create an access domain, but you do not associate it with a
tenant.
Because you associated the access domain to the device
groups and template stacks for the tenant, the tenant-level administrative
user has RBAC access at the tenant level and is able to perform
configuration for that tenant only. Because you did not associate
the access domain with a tenant in Prisma Access, the access domain
is unable to view the Cloud Services plugin, which provides access
to Prisma Access. In this way, you create a user who can perform
tenant-level configuration tasks without being able to access, view,
or make configuration changes to Prisma Access.
To remove
Prisma Access access for an administrative-level user, complete
the following task.
This task assumes that you have Add Tenants to Prisma Access templates,
template stacks, and device groups for the tenant; you’ll be associating
them to the tenant-level administrative user.
If you created any device groups that are children
or grandchildren of other device groups under the
Shared
parent
device group, select only the device group at the lowest hierarchical
level (child or grandchild); do not select the parent or you will
have errors on commit.
Create
and configure an Administrator for the
tenant-level administrative user, specifying the Access Domain you
just created.
Select
Panorama
Administrators
.
Add
an Administrator.
Enter and confirm a
Password
for
the new Administrator.
Specify an
Administrator Type
of
Device
Group and Template Admin
.
Specify the
Access Domain
that
is associated with the device groups for that tenant.
Administrative
user will have permissions based on what you defined in the Admin
Role profile, but will not be able to view or configure the Cloud
Services plugin (including Prisma Access). Note, however, that they
will not be able to push any changes that they make to the cloud.