Control Role-Based Access for Tenant-Level Administrative Users

If you manage a multi-tenant deployment, you can use role-based access control (RBAC) to create tenant-level administrative users.
To modify RBAC-level access for tenant-level administrative users in Panorama, you create a tenant-level administrative user, use an Admin Role Profile with a
Role
of
Device Group and Template
, and
Enable
,
Disable
, or give
Read Only
access to areas of the Panorama
Web UI
. Use this method to manage access to all Panorama components for tenant-level users, with the exception of access to the Cloud Services plugin where you manage Prisma Access.
If you want to restrict a tenant-level user from configuring the Prisma Access components in Panorama, you cannot use Admin Roles. To disallow users from configuring Prisma Access-specific configuration tasks, you must prevent the user from accessing the Cloud Services plugin, which also prevents them from viewing it. Using this method, you can create an administrative user for a security professional who has permissions to make changes to security policies and push those changes to Panorama, but cannot view or make any changes to Prisma Access configuration.
You can either enable or disable access to the Cloud Services plugin for a user, but you cannot give a user read-only access; if a user has access to view the Cloud Services plugin, the user can also make configuration changes to its components, including Prisma Access.
The following table shows sample tenant-level administrative roles and the steps you perform to create those roles.
Sample Tenant-Level Configuration
Configuration Task
Create a networking-focused user who:
  • Can edit plugin configurations
  • Can commit to Panorama
  • Can push configuration to Prisma Access
Create a tenant-level administrative user, enabling
Save
and
Commit
permissions in the
Admin Role Profile
, and disabling or making
Read Only
any permissions that you don’t want the tenant-level administrative user to have.
Create a security-focused user who:
  • Can view and make changes to security policies
  • Can commit to Panorama
  • Cannot view, or make changes to, the Cloud Services plugin
  • Cannot push configuration to Prisma Access (requires the superuser to push the configuration)
To prevent a tenant-level administrative user from viewing or accessing the plugin, remove plugin access for a tenant-level administrator. For all other Panorama-related permissions, change the Admin Role permissions for the user.
Create a hybrid user who:
  • Has read-only access to the Cloud Services plugin
  • Has read-write access to the security policy
  • Cannot push the configuration to Prisma Access (requires the superuser to push the configuration)
You cannot make the Cloud Services plugin read-only. You can either view it or disable it.

Remove Plugin Access for a Tenant-Level Administrative User

In normal multi-tenant configurations, you use access domains Add Tenants to Prisma Access and associate each access domain with a tenant. To prevent a tenant-level administrative user from viewing or making configuration changes to Prisma Access, you create an access domain, but you do not associate it with a tenant.
Because you associated the access domain to the device groups and template stacks for the tenant, the tenant-level administrative user has RBAC access at the tenant level and is able to perform configuration for that tenant only. Because you did not associate the access domain with a tenant in Prisma Access, the access domain is unable to view the Cloud Services plugin, which provides access to Prisma Access. In this way, you create a user who can perform tenant-level configuration tasks without being able to access, view, or make configuration changes to Prisma Access.
To remove Prisma Access access for an administrative-level user, complete the following task.
This task assumes that you have Add Tenants to Prisma Access templates, template stacks, and device groups for the tenant; you’ll be associating them to the tenant-level administrative user.
  1. Create an administrative role with a type of
    Device Group and Template
    .
    1. Select
      Panorama
      Admin Roles
      .
    2. Add
      an Admin Role Profile with a
      Role
      of
      Device Group and Template
      .
    3. Click
      OK
      .
      You can create a single Admin Role Profile and share it across multiple tenants.
      multi-tenant-commit-for-other-admins.png
  2. Select
    Panorama
    Access Domain
    and
    Add
    an Access Domain.
  3. Specify the
    Device Groups
    and
    Templates
    associated with the tenant.
    If you created any device groups that are children or grandchildren of other device groups under the
    Shared
    parent device group, select only the device group at the lowest hierarchical level (child or grandchild); do not select the parent or you will have errors on commit.
    multi-tenant-readonly-device-group.png
    multi-tenant-readonly-access-domain.png
  4. Create and configure an Administrator for the tenant-level administrative user, specifying the Access Domain you just created.
    1. Select
      Panorama
      Administrators
      .
    2. Add
      an Administrator.
    3. Enter and confirm a
      Password
      for the new Administrator.
    4. Specify an
      Administrator Type
      of
      Device Group and Template Admin
      .
    5. Specify the
      Access Domain
      that is associated with the device groups for that tenant.
    6. Specify the
      Admin Role
      that you created in Step 1 for the tenant.
      When you complete this example, the
      abcd-tenant-no-plugin-access
      Administrative user will have permissions based on what you defined in the Admin Role profile, but will not be able to view or configure the Cloud Services plugin (including Prisma Access). Note, however, that they will not be able to push any changes that they make to the cloud.
      multi-tenant-readonly-administrator.png
  5. Select
    Commit
    Commit to Panorama
    and
    Commit
    your changes.

Recommended For You