Administrator Roles and Access

Learn about different administrator roles and access options available for Prisma Access Cloud Management

Administrator Roles

A user on Prisma Access is someone who has been assigned administrative privileges, and a role defines the type of access that the administrator has on the service. When you assign a role, you specify the permission group and the account groups that the administrator can manage. The hub has the following permission groups built-in for administrators using Prisma Access.
  • App Administrator
    — Has full access to the given app, including all instances added to the app in the future. App Administrators can assign roles for app instances, and they can also activate app instances specific to that app.
  • Instance Administrator
    — Has full access to the app instance for which this role is assigned. The Instance Administrator can also make other users an Instance Administrator for the app instance. If the app has predefined or custom roles, the Instance Administrator can assign those roles to other users.
  • Super Reader
    — Can view all config elements, logs, and settings. Super Readers can’t make changes to other settings.
  • Audit Admin
    — Can view and manage logs and log settings only. Audit Admins can’t make changes to other settings.
  • Crypto Admin
    — Can view logs, and manage cryptographic settings such as IKE, IPSec, master key management, and certificate configuration. Crypto Admins can’t view or make changes to other settings.
  • Security Admin
    — Can view logs and manage all settings except the cryptographic settings that are available to the Crypto Admin role.
  • Web Security Admin
    — Can view configuration elements related to Web Security only.
  • Data Loss Prevention Admin
    —Can access Enterprise DLP settings but cannot push configuration changes to Prisma Access.
  • Data Security Admin
    —Can access Enterprise DLP and SaaS Security controls, but cannot push configuration changes to Prisma Access.
  • SaaS Admin
    —Can access SaaS Security settings but cannot push configuration changes to Prisma Access.

Assign a Role

All admins can access and use the Prisma Access app, but only Prisma Access App Administrators and Instance Administrators can assign roles. From the hub, you can view Prisma Access role assignments and assign roles to other members of your account. Here’s how:
  • View hub role assignments.
    1. Use the credentials associated with your Palo Alto Networks support account to log in to the hub.
    2. Click the settings gear that’s located on the top right of the page, and select
      Access Management.
    3. The Access Management page lists all the users in your organization and the roles to which they’re assigned.
      Account administrators have access to all of your organization’s apps. Other roles are specific to apps or even app instances.
  • Assign a user a role.
    1. On the hub Access Management page, search for and select the user you want to assign a role to.
    2. Select
      Assign Roles
    3. Assign a role at the app or instance level.

Trusted IP Address List for Administrator Access

Specify trusted IP addresses for Prisma Access cloud management administrators. Only administrators that log in from these source IP addresses (and also that successfully authenticate) can access Prisma Access cloud management.
The IP addresses must be public addresses. By default, there aren’t any trusted addresses enforced (the list is set to
To get started, find the
menu on the left navigation panel and click
IP Restrictions

Recommended For You