Manage Device Security Users
Learn about and manage Device Security users with role-based access control (RBAC).
| Where Can I Use This? | What Do I Need? |
|---|
|
|
One of the following subscriptions:
Device Security subscription for an advanced
Device Security product (Enterprise,
OT, or Medical)
Device Security X subscription
|
Role-based access control (RBAC) enables you to assign privileges and access rights to
administrative users through role assignment. Create user accounts in the
Customer Support Portal, and assign them roles. In some cases, you can also limit the
data that users can access by site. For step-by-step instructions about creating users
for
Device Security, see
Create Device Security Users.
Device Security supports the following user roles:
App Administrator
Instance Administrator
(Legacy) IoT Security portal Owner
(Legacy) IoT Security portal Administrator
(Legacy) IoT Security portal Read-only
Strata Cloud Manager Superuser
Strata Cloud Manager View-only Administrator
The App Administrator and Instance Administrator are common roles that are available to
every
Palo Alto Networks product application. For
Device Security, they provide the
same privileges as Owner. To learn more about them, see
Available Roles.
The three user roles specifically for the Device Security portal are Owner,
Administrator, and Read-only.
The two user roles specifically for Device Security in Strata Cloud Manager are
Superuser and View-only Administrator.
| User Role | Role Definition | Access Control |
|---|
|
(Legacy) IoT Security portal Owner
Strata Cloud Manager Superuser
(Also App Administrator and Instance Administrator)
|
Access to all functions in the Device Security portal
|
All read/write privileges as administrators plus:
Set a global idle timeout
Change the device-to-site assignment method from one based
on firewall locations to one based on IP addresses
View audit logs for all users Set scanning permissions per administrator account
Control which sites users with administrator and read-only
privileges can access
Control who receives notifications of security alerts and system alerts
|
|
(Legacy) IoT Security portal Administrator
Strata Cloud Manager Superuser
|
Access to most functions in the Device Security portal
|
Create, edit, and delete Device Security configurations
and manage their own account preferences:
See their own user role and list of sites they can access Create, download, and delete API access keys Update contact info
Modify their login preference if accessing multiple
deployments
Shorten the idle timeout Enable and disable alert sounds Enable and disable alert notifications via SMS and email Manage their own user account preferences See the audit log for their own activities
|
|
(Legacy) IoT Security portal Read-only
Strata Cloud Manager View-only Administrator
|
Can only view data in the Device Security portal
|
View Device Security data for the sites they can access
Manage their own user account preferences See the audit log for their own activities
|
For Panorama managed Prisma Access tenants with an
Device Security add-on license, add the following types of users to give them
access privileges to both Prisma Access and Device Security:
| Prisma® SASE Platform User Roles | Device Security User Roles |
| Superuser, MSP Superuser | Owner |
| N.A. | Administrator* |
| View Only Administrator | Read-only |
* There is no user role in Prisma SASE that maps to the
Administrator role in Device Security.
For new Panorama managed
Prisma Access customers as of August 2022, or an existing
Panorama managed
Prisma Access customer whose
Prisma Access instance
transitioned to the Prisma SASE platform, use
Common Services: Identity & Access
for managing user access, roles, and service accounts.
For existing Panorama managed
Prisma Access customers whose
Prisma Access
instance has not yet transitioned to the Prisma SASE Platform, you can continue
using the
existing process to create administrative users
until the transition completes.
