Assign roles
Table of Contents
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Prisma Cloud Container Images
- Kubernetes
- Deploy the Prisma Cloud Console on Amazon ECS
- Console on Fargate
- Onebox
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Container Service (ACS) with Kubernetes
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- IBM Kubernetes Service (IKS)
- OpenShift v4
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Assign roles
After creating a user or group, you can assign a role to it.
Roles determine the level of access to Prisma Cloud’s data and settings.
Prisma Cloud supports two types of users and groups:
- Centrally managed users and groups, defined in your organization’s directory service. With directory services such as Active Directory, OpenLDAP, and SAML providers, you can re-use the identities set up in these systems.
- Prisma Cloud users and groups, created and managed from Console. For centrally managed users groups, roles can be assigned after you integrate your directory service with Prisma Cloud. Roles can be assigned to individual users or to groups. When you assign a role to a group, all members of the group inherit the role. Managing role assignments at the group level is considered a best practice. Groups provide an easier way to manage a large user base, and simpler foundation for building your access control policies.
For Prisma Cloud users and groups, roles are assigned at the user level when the user is created.
When you create a Prisma Cloud group, you add Prisma Cloud users to it.
Users in this type of group always retain the role they were assigned when they were created.
Assigning roles to Prisma Cloud users
If you do not have a directory service, such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), Prisma Cloud lets you create and manage your own users and groups.
When you create a Prisma Cloud user, you can assign it a role, which determines its level of access.
To create a user and assign it a role:
- Open Console, and log in with your admin credentials.
- Go toManage > Authentication > Users.
- ClickAdd user.
- Enter a username.
- Enter a password.
- Assign a role.
- ClickSave.
Assigning roles to Prisma Cloud groups
Collecting users into groups makes it easier to manage your access control rules.
Each user in the group retains his own role to prevent erroneous privilege escalation.
To create a Prisma Cloud group and add users to it:
- Open Console and log in with your admin credentials.
- Go toManage > Authentication > Groups.
- ClickAdd group.
- Enter a name for your group.
- In the drop down list, select a user.
- Click+.
- Repeat steps b to c until your group contains all the members you want.
- Click *Save:
Assigning roles to AD/OpenLDAP/SAML users
By default, AD/OpenLDAP/SAML users have the very basic Access User role.
You can grant users a different level of access to Console by assigning them roles.
If a user is a part of an AD, OpenLDAP, or SAML group, and you have assigned a role to the group, the user inherits the group’s role.
Prerequisites:
You have integrated Prisma Cloud with Active Directory, OpenLDAP, or SAML.- Open Console.
- Log in with your admin credentials.
- Go toManage > Authentication > Users.
- ClickAdd user.
- Enter the username for the user whose role you want to set. For example, if you have integrated Prisma Cloud with Active Directory, enter a UPN.
- In theRoledrop-down menu, select a role.
- ClickSave.
Assigning roles to AD/OpenLDAP/SAML groups
You can assign an AD/OpenLDAP/SAML group a role.
Members of the group inherit the group’s role.
When a user from a group tries to access a resource protected by Prisma Cloud, Prisma Cloud resolves the member’s role on the fly.
If a user is assigned multiple system roles, either directly or through group inheritance, then the user is granted the rights of the highest role.
If a user is assigned both system and custom roles, then the user will be randomly granted the rights of one of the roles.
For example, assume Bruce is part of GroupA and GroupB in Active Directory.
In Console, you assign the Administrator role to GroupA and the Auditor role to GroupB.
When Bruce logs into Prisma Cloud, he will have Administrator rights.
The following procedure shows you how to assign a role to an existing AD/OpenLDAP/SAML group:
Prerequisites:
You have integrated Prisma Cloud with Active Directory, OpenLDAP, or SAML.- Open Console, and log in with your admin credentials.
- Go toManage > Authentication > Groups.
- ClickAdd group.
- Specify the name of the group. It should match the group name specified in your directory service.
- Check LDAP group.
- Select a role.
- ClickSave.