Control Role-Based Access for Tenant-Level Administrative Users

If you manage a multitenant deployment, you can use role-based access control (RBAC) to create tenant-level administrative users.
To modify RBAC-level access for tenant-level administrative users in Panorama, you create a tenant-level administrative user, use an Admin Role Profile with a
Device Group and Template
, and
, or give
Read Only
access to areas of the Panorama
Web UI
. Use this method to manage access to all Panorama components for tenant-level users, with the exception of access to the Cloud Services plugin where you manage Prisma Access.
If you want to restrict a tenant-level user from configuring the Prisma Access components in Panorama, you cannot use Admin Roles. To disallow users from configuring Prisma Access-specific configuration tasks, you must prevent the user from accessing the Cloud Services plugin, which also prevents them from viewing it. Using this method, you can create an administrative user for a security professional who has permissions to make changes to security policies and push those changes to Panorama, but cannot view or make any changes to Prisma Access configuration.
You can either enable or disable access to the Cloud Services plugin for a user, but you cannot give a user read-only access; if a user has access to view the Cloud Services plugin, the user can also make configuration changes to its components, including Prisma Access.
The following table shows sample tenant-level administrative roles and the steps you perform to create those roles.
Sample Tenant-Level Configuration
Configuration Task
Create a networking-focused user who:
  • Can edit plugin configurations
  • Can commit to Panorama
  • Can push configuration to Prisma Access
Create a tenant-level administrative user, enabling
permissions in the
Admin Role Profile
, and disabling or making
Read Only
any permissions that you don’t want the tenant-level administrative user to have.
Create a security-focused user who:
  • Can view and make changes to security policies
  • Can commit to Panorama
  • Cannot view, or make changes to, the Cloud Services plugin
  • Cannot push configuration to Prisma Access (requires the superuser to push the configuration)
To prevent a tenant-level administrative user from viewing or accessing the plugin, remove plugin access for a tenant-level administrator. For all other Panorama-related permissions, change the Admin Role permissions for the user.
Create a hybrid user who:
  • Has read-only access to the Cloud Services plugin
  • Has read-write access to the security policy
  • Cannot push the configuration to Prisma Access (requires the superuser to push the configuration)
This configuration is not possible. You cannot make the Cloud Services plugin read-only. You can only provide access to admin users to view it and use it to make configuration changes, or disallow them from viewing it.

Recommended For You