1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Authentication
    6. Compute user roles
    End-of-Life (EoL)

    Compute user roles

    You can assign roles to users to control their level of access to Prisma Cloud. Roles determine what a user can do and see in Console, and the APIs he or she can access.

    Summary of available roles

    The following table summarizes the roles available in Prisma Cloud.
    Role
    Access level
    Typical use case(s)
    Administrator
    Full read-write access to all Prisma Cloud settings and data.
    Security administrators.
    Operator
    Read-write access to all rules and data.
    Read-only access to user and group management, role assignments, and the global scan settings under
    Manage > System > Scan
    .
    Security operations teams.
    Auditor
    Read-only access to all Prisma Cloud rules and data.
    Auditors and compliance staff that need to verify settings and monitor compliance.
    DevSecOps User
    Read-only access to all results under
    Radar
     and
    Monitor
    , but no access to view or change policy or settings.
    Read-only access to User certificates and Downloads.
    DevSecOps personnel.
    Vulnerability Manager
    Define policy and monitor vulnerabilities and compliance.
    DevOps users that also need to define policy and monitor vulnerabilities and compliance.
    DevOps User
    Read-only access to the Prisma Cloud CI vulnerability, compliance scan reports, User certificates, and Downloads.
    Developer, Operations, and DevOps personnel that need to know about and/or address the vulnerabilities in your environment.
    Defender Manager
    Install, manage, and remove Defenders from your environment.
    DevOps team members that need to manage Defender deployments without sysadmin privileges.
    Access User
    Install personal certificates only.
    Developers (and others) that use the nodes that Prisma Cloud protects.
    CI User
    Run the Continuous Integration plugin only.
    CI Users can only run the plugin and have no other access to configure Prisma Cloud.
    Let’s look at how two roles at the opposite end of the spectrum differ: Administrator and User. Administrators set the security policy. They decide who can run what Docker commands, and where they can be run. Users need to run Docker commands to do their job. Testers, for example, run Docker commands in the staging environment to test containers under development. Testers, however, have no business starting containers in the production environment. Administrators set a policy to assign testers the user role that lets testers run Docker commands in staging, but restricts their access to production.
    If a user is assigned multiple roles, either directly or through group inheritance, then he is granted the rights of the highest role. For example, assume Bruce is part of GroupA and GroupB in Active Directory. In Console, you assign the Administrator role to GroupA and the Auditor role to GroupB.When Bruce logs into Prisma Cloud, he will have Administrator rights.
    Roles are enforced the same way for both the Prisma Cloud UI and the Prisma Cloud API.
    To learn how to assign roles to users and groups, see Assigning roles.

    Roles

    This section describes all the roles Prisma Cloud supports.

    Administrator

    The Administrator can manage all aspects of your Prisma Cloud installation. They have full read-write access to all Prisma Cloud settings and data.
    Administrators can:
    • Create and update security policies.
    • Create and update access control policies.
    • Create and update the list of users and groups that can access Prisma Cloud.
    • Assign roles to users and groups.
    • The Admin role is reserved for security administrators.
    When Administrators log into Console, they have access to the full dashboard. If you click on the profile button on the top right of the dashboard, you get the details of the currently logged in user (admin) and associated role (Administrator).

    Operator

    Operators can create and update all Prisma Cloud settings. This role lets you view audit data and manage the rules that define your policies.
    Operators cannot:
    • Create, update, or delete users or groups.
    • Assign or reassign roles to any user or group.
    • Change the global scan settings under
      Manage > System > Scan
      .
    The Operator role is designed for members of your Security Operations team.

    Auditor

    Auditors get read-only access to all Prisma Cloud data, settings, and logs.
    Auditors are typically members of your compliance team. They verify that your Prisma Cloud setup meets your organization’s security requirements. To verify compliance, they must be able to see your settings, but they do not need to make changes to them.
    Auditors have access to the downloads page (
    Manage > System > Downloads
    ), but cannot download Defender images.

    DevSecOps User

    DevSecOps Users get access to all views under
    Radar
     and
    Monitor
    . Access to the
    Actions
     menu in these views is disabled. The
    Actions
     menu lets you do things such as relearn models, protect services found by Cloud Discovery, and so on.
    DevSecOps Users can’t access the views under
    Defend
    .
    Under
    Manage
    , they only get access to:
    • Manage > Authentication > User Certificates
    • Manage > System > Downloads
      . This page lets you download various Prisma Cloud components. DevSecOps Users can download all files, except Defender images, which are disabled for this role.

    Vulnerability Manager

    Vulnerability Managers define and monitor vulnerabilities and compliance policy. Vulnerability Managers gain the following permissions:
    • Read-write access to
      Defend > Vulnerabilities
       and
      Defend > Compliance
      .
    • Read-write access to
      Monitor > Vulnerabilities
      ,
      Monitor > Compliance
       and
      Monitor > Events > Trust Audits
      .
    • Read-only access to
      Manage > Authentication > User certificates
       and
      Manage > System > Downloads
      . The
      Downloads
       page lets you download various Prisma Cloud components. Vulnerability Managers can download all files, except Defender images, which are disabled for this role.

    DevOps User

    DevOps Users get read-only access to the
    Jenkins Jobs
     and
    Twistcli Scans
     tabs under
    Monitor > Vulnerabilities
     and
    Monitor > Compliance
    . Each tab contains scan reports for images scanned using these tools. DevOps Users can use Prisma Cloud scan reports and tools, for example, to determine why the CI/CD pipeline is stalled.
    Additionally, DevOps users can use the CVE Viewer to query the Prisma Cloud CVE database.
    Under
    Manage
    , they only get access to:
    • Manage > Authentication > User Certificates
    • Manage > System > Downloads
      . This page lets you download various Prisma Cloud components. DevOps Users can download all files, except Defender images, which are disabled for this role.

    Defender Manager

    Defender Managers get read-write access to
    Manage > Defenders
    ,
    Manage > Authentication > User certificates
     and
    Manage > System > Downloads
    .
    Defender Managers can install, manage, and remove Defenders from your environment. The Defender Manager role was designed to let members of your DevOps team manage the hosts that Prisma Cloud protects without requiring Administrator-level privileges. To help debug Defender deployment issues, Defender Managers get read-only access to Prisma Cloud settings and log files.
    Defender Managers are typically members of your DevOps team. They need to manage the hosts that Prisma Cloud protects, but they never need to alter any security policies.
    Defender Managers are also used to automate the installation of Defenders. If you use the API to programmatically install new Defenders in an environment that is not orchestrated by Kubernetes or Swarm, create a service account with the Defender Manager role, then follow the instructions in Automate Defender install.
    Access to
    Manage > Defenders > Names
     is blocked as it requires API access for certificate management.
    This role can see view the secrets that Defenders use to do their job, such as cloud credentials for registry scanning.

    Access User

    Users work with Docker containers. They run Docker client commands on the hosts that are protected by the Defender. The commands they run include:
    • Pulling an image from a registry.
    • Starting a container on a host.
    • Stopping a container.
    Users are typically members of your engineering team. For example, all members of your test team would be assigned the User role.
    The following screenshot shows the view that user with the User role see when they log into Console. Users log into Console to get their client certificates, which they install on their machines to identify them. When a user runs a Docker command on a host, Defender checks that the user has the right permissions to run that command on that host.

    CI User

    The CI user role can be assigned to users that should only be able to run the plugin but have no other access to configure Prisma Cloud or view the data that we have. It is designed to only provide the minimal amount of access required to run the plugins.
    A CI user cannot log into the Console or even view the UI Dashboard.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo