Prisma SD-WAN Device and Tenant Management
Focus
Focus
Prisma SD-WAN

Prisma SD-WAN Device and Tenant Management

Table of Contents

Prisma SD-WAN Device and Tenant Management

Prisma SD-WAN for MSPs provides a set of operational features for Managed Service Providers (MSPs) to manage devices and tenants within their purview.
Where Can I Use This?What Do I Need?
  • Prisma SD-WAN
  • Prisma SD-WAN license
Prisma SD-WAN provides a set of operational features for Managed Service Providers (MSPs) to manage devices and tenants within their purview.

Multi-Tenancy

The Prisma SD-WAN controller has multi-tenancy integrated into the solution, allowing service providers, enterprise customers, and managed support organizations to provide dedicated services based on their organizational structure. Some examples of multi-tenancy are:
  • MSPs operating the Prisma SD-WAN environment for multiple customers.
  • Enterprise customers with a central purchasing model, which uses several lines of business independently within the enterprise.
For detailed information, check the following sections:

MSP Account Roles and Permissions

Role-based access control and authentication is supported for all operations performed by the MSPs. The MSP tenant, though subservient to the Prisma SD-WAN tenant, acts as a super-tenant to all the client tenants under its control.
Typically, MSP accounts are regular user accounts with additional set of roles, and Single Sign-On (SSO) access through an enterprise Identity Provider (IdP). A group name within an IdP system may be mapped to the same name to create a custom role. The MSP roles and their responsibilities can be classified as:
MSP RolePermissions
MSP Superuser (msp_superuser)MSP Superuser has read and write access to manage all dashboards, reports, apps, logs, and SD-WAN services and devices within the assigned level of nested hierarchy. Includes all permissions assigned to all roles, and the ability to activate product licenses through email activation link. Assign only to users or service accounts that require unrestricted access across multiple tenants.
MSP Identity and Access Management (IAM) Administrator (msp_iam_admin)Multi-tenant Identity IAM Administrator provides read and write access to identity and authentication functions for all tenants in a multitenant hierarchy. This role also includes read-only access for logs. No access to dashboards.
In a MSP account, you may view, manage, or administer other client networks and accounts, if:
  • The user is added at the root (MSP) tenant IAM and has access to all the child (client) tenants in the hierarchy.
  • Specific users of a provider account are assigned to manage specific, approved client accounts for that provider. These users need to be added to the IAM for the particular child (client) tenants. This is handled by the users of a provider account who have msp_superuser or msp_iam_admin privileges.