Custom Role-Based Access Control — Set It Up

Set up custom role-based access control.
Here’s how to create a custom role, assign a role to a user, and manage the user scope.
  • Custom roles are assembled set of permissions from the available roles in the system. You can create them by adding or removing from a system role or creating them without inheriting any properties from a system defined role. For example, you can create a network administrator role with a few permissions or modify the existing security administrator role by adding a few more system permissions to the role.
    With the introduction of custom roles, as an administrator, you selectively allow or disallow permissions for a custom role, thereby, creating a unique set of permissions for a custom role.
  • After creating a custom role, assign additional roles to the users.
  • Prisma Access Cloud Management enables you (as an administrator) to assign a management scope to a cloud management user (non-administrator) to associate permissions based on scopes such as folders and snippets.
    The permissions are actions that are allowed in the system. Permissions represent a specific set of application programming interface (API) calls that you use to read, write, and delete objects within the systems. All permissions are grouped into roles.
    Only a Cloud Management administrator or a superuser can create a scope object. Note that the Scope Management widget is not available for users with other roles.
This use case shows how to create a custom role with read-only permission to all the resources, assign it to a user, and then create a scope to associate the user to a custom role.
  1. Create a Custom Role
    1. Go to the hub and log in.
    2. Select
      Prisma SASE Platform
      Tenants and Services
      Identity & Access
    3. Select
      Identity & Access/Roles Management
      Add Custom Role
      to add a custom role.
    4. Add a
      and a
      for the role.
    5. Add permissions under
      Web UI
      Web UI permission sets are grouped in a hierarchy for each application. The icon next to the permission set name indicates the permission access status.
      • Select an icon to toggle the permission set access.
      • Select an icon at a higher level in the hierarchy to toggle permissions at the lower levels as well.
      • Select a checkbox for bulk change actions. The
        Read Write
        Read Only
        , and
        No Access
        become visible when one or more permission sets are selected, so you can set many permission sets to the same access all at once, rather than selecting each one individually. For this usecase, select
        Read Write
    6. Save
      to add permissions to the list.
  2. Assign a Custom Role to a Tenant User
    1. Go to
      Identity & Access/Access Management
      to add a user.
    2. Specify the following values to add user access:
      • Select
        as the Identity Type.
      • Enter the email address of the user and select
    3. Select
      Prisma Access
      Apps & Services
      • Select the custom
        that you created in Step 1.
    4. Submit
      your changes.
  3. Create a New Scope in the Prisma Access Cloud Management UI
    1. Go to
      Access Control
      Scope Management
      Create New Scope
    2. Give the scope a descriptive
    3. Select the folder you want to include in the scope.
    4. Add
      the scope object.
    5. Click
      Assign Users
      against the scope object to assign a role.
    6. Select a
      for the user. For example, you can select MSP Superuser for a user who needs access to all functions for all tenants.
    7. To modify an existing scope to edit the name, and to add or remove folders, select the scope object, modify the scope as needed, and
      the scope.
    8. To modify the assigned users, to add more users or change the users, click
      Assigned Users
      and modify as needed, and
      the window.

Recommended For You