User-Based Policy in Prisma Access

Cloud Identity Engine (Directory Sync) gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups.
Cloud Identity Engine works with both on-premises Active Directory and Azure Active Directory.
To set up Cloud Identity Engine with Prisma Access, start by going to the hub to activate Cloud Identity Engine and to add it to Prisma Access. Then go to Prisma Access to validate that Prisma Access is able to access directory data.
  1. Activate Cloud Identity Engine
    Cloud Identity Engine can share Active Directory information with any supported app on the hub. It’s free and does not require an auth code to get started. Cloud Identity Engine setup includes activating the Cloud Identity Engine app on the hub, configuring the Cloud Identity Engine agent to gather Active Directory mappings, and configuring mutual authentication between Cloud Identity and and the agent.
    Make sure to deploy the Cloud Identity Engine instance in the same region that you deployed Prisma Access and Cortex Data Lake.
  2. Enable Cloud Identity Engine for Prisma Access.
    You can associate Prisma Access with Cloud Identity Engine when you’re first activating Prisma Access or anytime after:
    • While you’re activating Prisma Access:
      When you first activate Cloud Managed Prisma Access, you can choose a Cloud Identity Engine instance for Prisma Access to use. Make sure to select an instance that is deployed in the same region as Prisma Access.
    • After you’ve activated Prisma Access:
      To enable Cloud Identity Engine for an existing Prisma Access instance, log in to the hub. From the hub settings dropdown (see the gear on the top menu bar), select
      Manage Apps
      . Find the Prisma Access instance you want to update, and select the Cloud Identity Engine instance you want Prisma Access to use.
  3. Confirm that Prisma Access is connected to Cloud Identity Engine, and that Cloud Identity Engine is sharing directory information with Prisma Access.
    • Check that you can see your directories in Prisma Access.
      Go to
      Manage
      Configuration
      Identity Services
      Directory Sync
      :
    • Verify that you can add users and groups to a policy rule.
      Select
      Manage
      Security Services
      Security
      or
      Decryption
      . In a security or decryption policy rule, check that the
      Users
      dropdown displays your Active Directory user and group entries. Now you can start adding these users and groups to your security and decryption policy rules.

Recommended For You