Compute user roles
You can assign roles to users to control their level of access to Prisma Cloud. Roles determine what a user can do and see in Console, and the APIs he or she can access. Roles are enforced the same way for both the Prisma Cloud UI and API.
Prisma Cloud provides several pre-defined system roles you can assign to users and groups, as well as allows you to create your own customized roles.
Summary of system roles
The following table summarizes the system roles available in Prisma Cloud.
Typical use case(s)
Full read-write access to all Prisma Cloud settings and data.
Read-write access to all rules and data.
Read-only access to user and group management, role assignments, and the global settings under
Manage > System.
Security operations teams.
Read-only access to all Prisma Cloud rules and data.
Auditors and compliance staff that need to verify settings and monitor compliance.
Read-only access to all results under
Monitor, but no access to change policy or settings.
Read-only access to Utilities.
Define policy and monitor vulnerabilities and compliance.
DevOps users that also need to define policy and monitor vulnerabilities and compliance.
Read-only access to the Prisma Cloud CI vulnerability, compliance scan reports, and Utilities.
Developer, Operations, and DevOps personnel that need to know about and/or address the vulnerabilities in your environment.
Install, manage, and remove Defenders from your environment.
DevOps team members that need to manage Defender deployments without sysadmin privileges.
Basic API routes only
IMPORTANT: Access User role has permissions to some basic API routes only, and no access to the Console UI. This user role will be deprecated in the next release of Prisma Cloud Compute.
Developers (and others) that use the nodes that Prisma Cloud protects.
Run the Continuous Integration plugin only.
CI Users can only run the plugin and have no other access to configure Prisma Cloud.
Let’s look at how two roles at the opposite end of the spectrum differ: Administrator and User. Administrators set the security policy. They decide who can run what Docker commands, and where they can be run. Users need to run Docker commands to do their job. Testers, for example, run Docker commands in the staging environment to test containers under development. Testers, however, have no business starting containers in the production environment. Administrators set a policy to assign testers the user role that lets testers run Docker commands in staging, but restricts their access to production.
This section describes the system roles Prisma Cloud supports.
The Administrator can manage all aspects of your Prisma Cloud installation. They have full read-write access to all Prisma Cloud settings and data.
- Create and update security policies.
- Create and update access control policies.
- Create and update the list of users and groups that can access Prisma Cloud.
- Assign roles to users and groups.
- The Admin role is reserved for security administrators.
When Administrators log into Console, they have access to the full dashboard. If you click on the profile button on the top right of the dashboard, you get the details of the currently logged in user (admin) and associated role (Administrator).
Operators can create and update all Prisma Cloud settings. This role lets you view audit data and manage the rules that define your policies.
- Create, update, or delete users or groups.
- Assign or reassign roles to any user or group.
- Change the global settings underManage > System.
The Operator role is designed for members of your Security Operations team.
Auditors get read-only access to all Prisma Cloud data, settings, and logs.
Auditors are typically members of your compliance team. They verify that your Prisma Cloud setup meets your organization’s security requirements. To verify compliance, they must be able to see your settings, but they do not need to make changes to them.
Auditors have access to the utilities page (
Manage > System > Utilities).
DevSecOps Users get access to all views under
Monitor. Access to the
Actionsmenu in these views is disabled. The
Actionsmenu lets you do things such as relearn models, protect services found by Cloud Discovery, and so on.
DevSecOps Users get read only access to vulnerabilities and compliance policies under
Manage, they only get access to
Manage > System > Utilities. This page lets you download various Prisma Cloud components. DevSecOps Users can download all files, except Defender images, which are disabled for this role.
Vulnerability Managers define and monitor vulnerabilities and compliance policy. Vulnerability Managers gain the following permissions:
- Read-write access toDefend > VulnerabilitiesandDefend > Compliance.
- Read-write access toMonitor > Vulnerabilities,Monitor > ComplianceandMonitor > Events > Trust Audits.
- Read-only access toManage > System > Utilities. TheUtilitiespage lets you download various Prisma Cloud components. Vulnerability Managers can download all files, except Defender images, which are disabled for this role.
DevOps Users get read-only access to the
Twistcli Scanstabs under
Monitor > Vulnerabilitiesand
Monitor > Compliance. Each tab contains scan reports for images and serverless functions scanned using these tools. DevOps Users can use Prisma Cloud scan reports and tools, for example, to determine why the CI/CD pipeline is stalled.
DevOps Users get read only access to vulnerabilities and compliance policies under
Manage, they only get access to
Manage > System > Utilities. This page lets you download various Prisma Cloud components. DevOps Users can download all files, except Defender images, which are disabled for this role.
Defender Managers get read-write access to
Manage > Defendersand
Manage > System > Utilities.
Defender Managers can install, manage, and remove Defenders from your environment. The Defender Manager role was designed to let members of your DevOps team manage the hosts that Prisma Cloud protects without requiring Administrator-level privileges. To help debug Defender deployment issues, Def