Manage Roles and Permissions
Table of Contents
Manage Roles and Permissions
The Application Security provides the following roles, each with its specific set of permissions.
System Administrator
Enable administrative access for all the DevSecOps and Security teams who need to add code repositories or pipelines, create policies and review scan results on Prisma Cloud. For more refer to add Prisma Cloud Administrators and role permissions. You can also see add administrative users.
Appsec Admin
The Application Security practitioner manages application security, and accordingly by default, is granted full system admin permissions to the Cloud Application Security module (CAS). In addition, the Appsec Admin has permissions for Application Security and selected platform permissions such as Alerts. See here for all Appsec permissions.
Other than the specified permissions above, the Appsec Admin authority is restricted to the CAS module, and does not apply to other modules on Prisma Cloud (as opposed to a system admin).
Developer Access for Application Security
You do not need to grant access for your developers to log in to the Prisma Cloud administrative console. However, if you would like to enable access, Prisma Cloud includes a predefined developer role with the least privilege permissions to the Prisma Cloud administrative console.
The permissions for the developer role include the ability to:
- View scan results (Application Security) for repositories and perform functions to Suppress, Remediate, and Search for a specific Run or view Resource Explorer data.
- View the roles associated with the developer user account. (Settings > Roles)
- Create and modify access keys for the developer user account. (Settings > Access Keys)
- View their own user profile
- Designated repos only for Repositories (Application Security > Repositories)
- Designated repos only for SBOM (Application Security > SBOM)
- SelectSettings > Roles > Add Role.Create a new Developer access role for Application Security on Prisma Cloud.
- Submitthe change.You can assign the new role with developer access to a new or existing Prisma Cloud user.
Add a Custom Permission Group
Administrators can create a custom permission group for Application Security on the Prisma Cloud console. Using the parameters for permissions, you can limit or enhance the responsibilities of the users.
- Code & Build Providers: You can enable user permissions to view, create, update and delete resources on *Code & Build Providers * (Settings > Code & Build Providers). Configuring View permissions for all Application Security functions, ensures the ability to see resource vulnerabilities and make informed decisions.You are required to select both Create and Update permissions when onboarding new repositories.
- Code Security Configuration: Enabling permissions for Application Security Configuration helps you manage Application Security licenses, Enforcement thresholds, notifications, developer suppressions and creating rules to exclude paths for scans.
For further details see, Create Custom Prisma Cloud Roles.
View Audit Logs
Audit Logs record administrator activities on the console to help you proactively track configuration actions that impact security outcomes such as modifying Enforcement parameters and adding suppression rules which impact the scan results, or actions on
Code & Build Providers
(Settings > Code & Build Providers), like adding, deleting or updating the repository selection, which what is being scanned and monitored using Prisma Cloud.For further details on managing audit logs, see View Audit Logs.