Administrator Roles and Access
Learn about different administrator roles and access
options available for Prisma Access Cloud Management
Administrator Roles
A user on Prisma Access is someone who
has been assigned administrative privileges, and a role defines
the type of access that the administrator has on the service. When
you assign a role, you specify the permission group and the account
groups that the administrator can manage. The hub has the following permission
groups built-in for administrators using Prisma Access.
- App Administrator— Has full access to the given app, including all instances added to the app in the future. App Administrators can assign roles for app instances, and they can also activate app instances specific to that app.
- Instance Administrator— Has full access to the app instance for which this role is assigned. The Instance Administrator can also make other users an Instance Administrator for the app instance. If the app has predefined or custom roles, the Instance Administrator can assign those roles to other users.
- Super Reader— Can view all config elements, logs, and settings. Super Readers can’t make changes to other settings.
- Audit Admin— Can view and manage logs and log settings only. Audit Admins can’t make changes to other settings.
- Crypto Admin— Can view logs, and manage cryptographic settings such as IKE, IPSec, master key management, and certificate configuration. Crypto Admins can’t view or make changes to other settings.
- Security Admin— Can view logs and manage all settings except the cryptographic settings that are available to the Crypto Admin role.
- Web Security Admin— Can view configuration elements related to Web Security only.
- Data Loss Prevention Admin—Can access Enterprise DLP settings but cannot push configuration changes to Prisma Access.
- Data Security Admin—Can access Enterprise DLP and SaaS Security controls, but cannot push configuration changes to Prisma Access.
- SaaS Admin—Can access SaaS Security settings but cannot push configuration changes to Prisma Access.
Assign a Role
All admins can access and use the Prisma Access
app, but only Prisma Access App Administrators and Instance Administrators
can assign roles. From the hub, you can view Prisma Access role
assignments and assign roles to other members of your account. Here’s
how:
- View hub role assignments.
- Use the credentials associated with your Palo Alto Networks support account to log in to the hub.
- Click the settings gear that’s located on the top right of the page, and selectAccess Management.
- The Access Management page lists all the users in your organization and the roles to which they’re assigned.Account administrators have access to all of your organization’s apps. Other roles are specific to apps or even app instances.
- Assign a user a role.
- On the hub Access Management page, search for and select the user you want to assign a role to.
- SelectAssign Roles.
- Assign a role at the app or instance level.
Trusted IP Address List for Administrator Access
Specify trusted IP addresses for Prisma Access cloud
management administrators. Only administrators that log in from
these source IP addresses (and also that successfully authenticate)
can access Prisma Access cloud management.
The IP addresses must be public addresses. By default, there
aren’t any trusted addresses enforced (the list is set to
any
).To get started, find the
Settings
menu
on the left navigation panel and click IP Restrictions
.
