Control Role-Based Access for Tenant-Level Administrative
If you manage a multi-tenant deployment, you can use role-based access control (RBAC) to create tenant-level administrative users.
To modify RBAC-level access for tenant-level administrative users in Panorama, you create a tenant-level administrative user, use an Admin Role Profile with a
Device Group and Template, and
Disable, or give
Read Onlyaccess to areas of the Panorama
Web UI. Use this method to manage access to all Panorama components for tenant-level users, with the exception of access to the Cloud Services plugin where you manage Prisma Access.
If you want to restrict a tenant-level user from configuring the Prisma Access components in Panorama, you cannot use Admin Roles. To disallow users from configuring Prisma Access-specific configuration tasks, you must prevent the user from accessing the Cloud Services plugin, which also prevents them from viewing it. Using this method, you can create an administrative user for a security professional who has permissions to make changes to security policies and push those changes to Panorama, but cannot view or make any changes to Prisma Access configuration.
You can either enable or disable access to the Cloud Services plugin for a user, but you cannot give a user read-only access; if a user has access to view the Cloud Services plugin, the user can also make configuration changes to its components, including Prisma Access.
The following table shows sample tenant-level administrative roles and the steps you perform to create those roles.
Sample Tenant-Level Configuration
Create a networking-focused user who:
Create a tenant-level administrative user, enabling
Commitpermissions in the
Admin Role Profile, and disabling or making
Read Onlyany permissions that you don’t want the tenant-level administrative user to have.
Create a security-focused user who:
To prevent a tenant-level administrative user from viewing or accessing the plugin, remove plugin access for a tenant-level administrator. For all other Panorama-related permissions, change the Admin Role permissions for the user.
Create a hybrid user who:
You cannot make the Cloud Services plugin read-only. You can either view it or disable it.
Remove Plugin Access for a Tenant-Level Administrative User
In normal multi-tenant configurations, you use access domains Add Tenants to Prisma Access and associate each access domain with a tenant. To prevent a tenant-level administrative user from viewing or making configuration changes to Prisma Access, you create an access domain, but you do not associate it with a tenant.
Because you associated the access domain to the device groups and template stacks for the tenant, the tenant-level administrative user has RBAC access at the tenant level and is able to perform configuration for that tenant only. Because you did not associate the access domain with a tenant in Prisma Access, the access domain is unable to view the Cloud Services plugin, which provides access to Prisma Access. In this way, you create a user who can perform tenant-level configuration tasks without being able to access, view, or make configuration changes to Prisma Access.
To remove Prisma Access access for an administrative-level user, complete the following task.
- Create an administrative role with a type ofDevice Group and Template.
- Select.PanoramaAdmin Roles
- Addan Admin Role Profile with aRoleofDevice Group and Template.
- ClickOK.You can create a single Admin Role Profile and share it across multiple tenants.
- SelectandPanoramaAccess DomainAddan Access Domain.
- Specify theDevice GroupsandTemplatesassociated with the tenant.If you created any device groups that are children or grandchildren of other device groups under theSharedparent device group, select only the device group at the lowest hierarchical level (child or grandchild); do not select the parent or you will have errors on commit.
- Create and configure an Administrator for the tenant-level administrative user, specifying the Access Domain you just created.
- Addan Administrator.
- Enter and confirm aPasswordfor the new Administrator.
- Specify anAdministrator TypeofDevice Group and Template Admin.
- Specify theAccess Domainthat is associated with the device groups for that tenant.
- Specify theAdmin Rolethat you created in Step 1 for the tenant.When you complete this example, theabcd-tenant-no-plugin-accessAdministrative user will have permissions based on what you defined in the Admin Role profile, but will not be able to view or configure the Cloud Services plugin (including Prisma Access). Note, however, that they will not be able to push any changes that they make to the cloud.
- SelectandCommitCommit to PanoramaCommityour changes.
Recommended For You
Recommended videos not found.