Assign roles

After creating a user or group, you can assign a role to it. Roles determine the level of access to Prisma Cloud’s data and settings.
Prisma Cloud supports two types of users and groups:
  • Centrally managed users and groups, defined in your organization’s directory service. With directory services such as Active Directory, OpenLDAP, and SAML providers, you can re-use the identities set up in these systems.
  • Prisma Cloud users and groups, created and managed from Console. For centrally managed users groups, roles can be assigned after you integrate your directory service with Prisma Cloud. Roles can be assigned to individual users or to groups. When you assign a role to a group, all members of the group inherit the role. Managing role assignments at the group level is considered a best practice. Groups provide an easier way to manage a large user base, and simpler foundation for building your access control policies.
For Prisma Cloud users and groups, roles are assigned at the user level when the user is created. When you create a Prisma Cloud group, you add Prisma Cloud users to it. Users in this type of group always retain the role they were assigned when they were created.

Assigning roles to Prisma Cloud users

If you do not have a directory service, such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), Prisma Cloud lets you create and manage your own users and groups. When you create a Prisma Cloud user, you can assign it a role, which determines its level of access.
To create a user and assign it a role:
  1. Open Console, and log in with your admin credentials.
  2. Go to
    Manage > Authentication > Users
  3. Click
    Add user
    1. Enter a username.
    2. Enter a password.
    3. Assign a role.
    4. Click

Assigning roles to Prisma Cloud groups

Collecting users into groups makes it easier to manage your access control rules.
Each user in the group retains his own role to prevent erroneous privilege escalation.
To create a Prisma Cloud group and add users to it:
  1. Open Console and log in with your admin credentials.
  2. Go to
    Manage > Authentication > Groups
  3. Click
    Add group
    1. Enter a name for your group.
    2. In the drop down list, select a user.
    3. Click
    4. Repeat steps b to c until your group contains all the members you want.
    5. Click *Save:

Assigning roles to AD/OpenLDAP/SAML users

By default, AD/OpenLDAP/SAML users have the very basic Access User role. You can grant users a different level of access to Console by assigning them roles.