The Palo Alto Networks hub offers some standard roles. Some apps also offer custom roles.
The roles available to users vary by app. There are some standard roles that are available for every app — mostly these determine who can manage roles for the app or account. Some apps also provide additional roles that determine what kind of activities a user can perform in the app.
Roles available to every app are:
This is the account that can assign roles for any app in your organization. The Account Administrator can activate and deactivate app instances, and it can access all app instances installed for the account.
The Account Administrator is usually the first user from your organization to register on the Palo Alto Networks Customer Support Portal. However, other accounts can be assigned this role using the
Manage Rolespage (there is no limit to the number of accounts that can be assigned this or any other role).
Account Administrators cannot be assigned roles to apps because they already have full role access to everything.
Can activate or deactivate app instances. Can also assign roles specific to that app. For example, if you are the App Administrator for Traps management service, then you can activate new instances of Traps. You can also make other users an App or Instance Administrator, and you can assign other users any of the custom Traps roles.
App Administrators cannot be assigned custom roles to specific instances of the app because they already have full role access to all app instances.
Has no access to the app.
Can access the app instance for which this role is assigned. If the app has custom roles, the Instance Administrator can assign those roles to other users. The Instance Administrator can also make other users an Instance Administrator for the app instance. Finally, the Instance Administrator can deactivate the app instance.
Instance Administrators cannot be assigned app-specific roles for the app instance because they already have full role access to the instance.
Some apps provide additional roles—beyond the common roles available to every app—that determine what kind of activities a user can perform in the app.