MSP Account Roles and Permissions
Role-based access control and
authentication is supported for all operations performed by the MSPs. The
MSP tenant, though subservient to the
Prisma SD-WAN tenant, acts as a
super-tenant to all the client tenants under its control.
Typically, MSP accounts are regular user accounts with additional set of
roles, and Single Sign-On (SSO) access through an enterprise Identity Provider
(IdP). A group name within an IdP system may be mapped to the same name to create a
custom role. The MSP roles and their responsibilities can be classified as:
MSP Role | Permissions |
MSP Superuser (msp_superuser) | MSP Superuser has read and write access to manage all
dashboards, reports, apps, logs, and SD-WAN services and devices
within the assigned level of nested hierarchy. Includes all
permissions assigned to all roles, and the ability to activate
product licenses through email activation link. Assign only to users
or service accounts that require unrestricted access across multiple
tenants. |
MSP Identity and Access Management (IAM)
Administrator (msp_iam_admin) | Multi-tenant Identity IAM Administrator provides read
and write access to identity and authentication functions for all
tenants in a multitenant hierarchy. This role also includes
read-only access for logs. No access to dashboards. |
In a MSP account, you may view, manage, or administer other client networks and
accounts, if:
The user is added at the root (MSP) tenant IAM and has access to all the
child (client) tenants in the hierarchy.
Specific users of a provider account are assigned to manage specific,
approved client accounts for that provider. These users need to be added to
the IAM for the particular child (client) tenants. This is handled by the
users of a provider account who have msp_superuser or msp_iam_admin
privileges.