>
    Manage: Access Control
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Manage: Access Control
    Download PDF
    Strata Cloud Manager

    Manage: Access Control

    Table of Contents

    Manage: Access Control

    Configure scope management to enforce role-based access control for
    Strata Cloud Manager
    .
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Cloud Management)
    • NGFW (Cloud Managed)
    • AIOps for NGFW Premium
       license
      or
      Prisma Access
       license
    Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user account that specifies a role and authentication method.
    Prisma Access
     Cloud Management implements custom RBAC, to enable you to manage roles or specific permissions, and assign access rights to administrative users. Using RBAC, you can manage users and their access to various resources within Cloud Management.

    Administrator Roles

    A user on
    Prisma Access
     is someone who has been assigned administrative privileges, and a role defines the type of access that the administrator has on the service. When you assign a role, you specify the permission group and the account groups that the administrator can manage. The hub has the following permission groups built-in for administrators using
    Prisma Access
    .
    • App Administrator
       — Has full access to the given app, including all instances added to the app in the future. App Administrators can assign roles for app instances, and they can also activate app instances specific to that app.
    • Instance Administrator
       — Has full access to the app instance for which this role is assigned. The Instance Administrator can also make other users an Instance Administrator for the app instance. If the app has predefined or custom roles, the Instance Administrator can assign those roles to other users.
    • Super Reader
       — Can view all config elements, logs, and settings. Super Readers can’t make changes to other settings.
    • Audit Admin
       — Can view and manage logs and log settings only. Audit Admins can’t make changes to other settings.
    • Crypto Admin
       — Can view logs, and manage cryptographic settings such as IKE, IPSec, master key management, and certificate configuration. Crypto Admins can’t view or make changes to other settings.
    • Security Admin
       — Can view logs and manage all settings except the cryptographic settings that are available to the Crypto Admin role.
    • Web Security Admin
       — Can view configuration elements related to Web Security only.
    • Data Loss Prevention Admin
      —Can access Enterprise DLP settings but cannot push configuration changes to
      Prisma Access
      .
    • Data Security Admin
      —Can access Enterprise DLP and SaaS Security controls, but cannot push configuration changes to
      Prisma Access
      .
    • SaaS Admin
      —Can access SaaS Security settings but cannot push configuration changes to
      Prisma Access
      .

    Custom Role-Based Access Control — Setup

    Here’s how to use a predefined role or create a custom role, assign a role to a user, and manage the user scope when you access the
    Prisma Access
     application.
    1. If you require more granular access control than the predefined roles provide, you can add custom roles to define which permissions are enforced for your users. Similar to predefined roles, custom roles are a set of permissions and permission sets. Unlike predefined roles, each custom role is assignable only to the users in the hierarchy under the Tenant Service Group (TSG) where it is defined. This avoids name conflicts between similarly named custom roles defined by different customers.
      If you add a custom role at the top level (parent level) of the hierarchy, that role is assigned to the tenants nested below so that the parent tenant can manage the child tenants.
    2. The Common Services: Access and Identity enables you to add user access to the platform as well as to the tenants you created.
    3. If you already added users and want to add additional roles, you can also assign a batch of predefined roles. Review additional information about roles and permissions.
    4. Prisma Access
       Cloud Management enables you (as an administrator) to assign a management scope to a cloud management user (non-administrator) to associate permissions based on scopes such as folders and snippets.
      The permissions are actions that are allowed in the system. Permissions represent a specific set of application programming interface (API) calls that you use to read, write, and delete objects within the systems. All permissions are grouped into roles.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.