Available Roles

The Palo Alto Networks Cortex hub offers some standard roles. Some apps also offer custom roles.
The roles available to users vary by app. There are some standard roles that are available for every app — mostly these determine who can manage roles for the app or account. Some apps also provide additional roles that determine what kind of activities a user can perform in the app.

Common Roles

Roles available to every app are:
Role
Definition
Account Administrator
This is the account that can assign roles for any app in your organization. The Account Administrator can activate and deactivate app instances, and it can access all app instances installed for the account.
The Account Administrator is usually the first user from your organization to register on the Palo Alto Networks Customer Support Portal. However, other accounts can be assigned this role using the Manage Roles page (there is no limit to the number of accounts that can be assigned this or any other role).
Account Administrators cannot be assigned roles to apps because they already have full role access to everything.
App Administrator
Can activate or deactivate app instances. Can also assign roles specific to that app. For example, if you are the App Administrator for Traps management service, then you can activate new instances of Traps. You can also make other users an App or Instance Administrator, and you can assign other users any of the custom Traps roles.
App Administrators cannot be assigned custom roles to specific instances of the app because they already have full role access to all app instances.
No Role
Has no access to the app.
Instance Administrator
Can access the app instance for which this role is assigned. If the app has custom roles, the Instance Administrator can assign those roles to other users. The Instance Administrator can also make other users an Instance Administrator for the app instance. Finally, the Instance Administrator can deactivate the app instance.
Instance Administrators cannot be assigned app-specific roles for the app instance because they already have full role access to the instance.

Traps Management Service Roles

Traps management service provides granular roles for its users. For details on these roles and how to use them, see Manage Administrative Access in the Traps Management Service Administration Guide.

Related Documentation