Custom Role-Based Access Control — Set It Up
Set up custom role-based access control.
Here’s how to create a custom role, assign
a role to a user, and manage the user scope.
- Custom roles are assembled set of permissions from the available roles in the system. You can create them by adding or removing from a system role or creating them without inheriting any properties from a system defined role. For example, you can create a network administrator role with a few permissions or modify the existing security administrator role by adding a few more system permissions to the role.With the introduction of custom roles, as an administrator, you selectively allow or disallow permissions for a custom role, thereby, creating a unique set of permissions for a custom role.
- After creating a custom role, assign additional roles to the users.
- Prisma Access Cloud Management enables you (as an administrator) to assign a management scope to a cloud management user (non-administrator) to associate permissions based on scopes such as folders and snippets.The permissions are actions that are allowed in the system. Permissions represent a specific set of application programming interface (API) calls that you use to read, write, and delete objects within the systems. All permissions are grouped into roles.Only a Cloud Management administrator or a superuser can create a scope object. Note that the Scope Management widget is not available for users with other roles.
This use case shows
how to create a custom role with read-only permission to all the
resources, assign it to a user, and then create a scope to associate
the user to a custom role.
- Create a Custom Role
- Go to the hub and log in.
- Select .
- Select to add a custom role.
- Add aNameand aDescriptionfor the role.
- Add permissions underWeb UI.Web UI permission sets are grouped in a hierarchy for each application. The icon next to the permission set name indicates the permission access status.
- Select an icon to toggle the permission set access.
- Select an icon at a higher level in the hierarchy to toggle permissions at the lower levels as well.
- Select a checkbox for bulk change actions. TheRead Write,Read Only, andNo Accessbecome visible when one or more permission sets are selected, so you can set many permission sets to the same access all at once, rather than selecting each one individually. For this usecase, selectRead Write.
- Saveto add permissions to the list.
- Assign a Custom Role to a Tenant User
- Go to to add a user.
- Specify the following values to add user access:
- SelectUseras the Identity Type.
- Enter the email address of the user and selectNext.
- SelectPrisma AccessfromApps & Services.
- Select the customRolethat you created in Step 1.
- Submityour changes.
- Create a New Scope in the Prisma Access Cloud Management UI
- Go to andCreate New Scope.
- Give the scope a descriptiveName.
- Select the folder you want to include in the scope.
- Addthe scope object.
- ClickAssign Usersagainst the scope object to assign a role.
- Select aRolefor the user. For example, you can select MSP Superuser for a user who needs access to all functions for all tenants.
- To modify an existing scope to edit the name, and to add or remove folders, select the scope object, modify the scope as needed, andUpdatethe scope.
- To modify the assigned users, to add more users or change the users, clickAssigned Usersand modify as needed, andClosethe window.
