Prisma Cloud Compute User Roles

In Prisma Cloud Enterprise Edition, you can assign roles to users to control their level of access to Prisma Cloud. Roles determine what a user can do and see in Prisma Cloud UI, and the APIs he or she can access. These roles are mapped to Compute according to the table below.

Prisma Cloud Roles to Compute Roles mapping

To create roles, go to
Settings >
. The following table summarizes the roles available in Prisma Cloud and their mapping to Compute Console.
Prisma Cloud Role
Compute Role
Access level
Typical uses case(s)
System Admin
Administrator
Full read-write access to all Prisma Cloud settings and data.
Security administrators.
System Admin ("
Only allow compute access
" selection)
Administrator
Full read-write access to
only
Prisma Cloud Compute settings and data.
Application security administrators.
Account & Cloud Provisioning Admin
Auditor
Read-only access to all Prisma Cloud Compute rules and data.
Auditors and compliance staff that need to verify settings and monitor compliance.
Cloud Provisioning Admin
Defender Manager
Read-only access to all Compute rules and data. Can install and uninstall Defenders.
DevOps and sysadmins for the nodes that Prisma Cloud protects.
Account Group Admin
Auditor
Read-only access to all Prisma Cloud Compute rules and data.
Auditors and compliance staff that need to verify settings and monitor compliance.
Account Group Read Only
DevSecOps User
Read-only access to all results under
Radar
and
Monitor
, but no access to view or change policy or settings.
DevSecOps personnel.
Build and Deploy Security
DevOps User
Read-only access to the Prisma Cloud CI vulnerability and compliance scan reports only.
Developer, Operations, and DevOps personnel that need to know about and/or address the vulnerabilities in your environment.
Build and Deploy Security ("
Only Access Key
" selection)
CI User
Run the Continuous Integration plugins, IaC scans, IDE plugins only.
CI Users can only run the plugin and have no other access to configure Prisma Cloud.
Users with read-only permission to Compute Console only see data from cloud accounts they have access to (in Prisma). For example, read-only user John who is assigned access to onboarded accounts from AWS in Prisma Cloud but no access to accounts from GCP and Azure. When John selects the Compute tab, he can only view data coming from Defenders in the assigned AWS account and no other Defenders. Only system admin permission group users can manage/view data coming from all Defenders in Compute. This includes data from cloud accounts that may not be onboarded in Prisma Cloud.
DevOps/CI users only have access to CI/CD scans hence the account filtering mentioned above does not apply to these users.
Only Admin can create collections in Compute. Collections for Read-Only users are visible according to the cloud accounts they are assigned in Prisma Cloud and the subsets of those resources created in manual collections by Admins.
To learn more about Prisma Cloud permission groups and roles, see Create Roles in Prisma Cloud.
To learn more about Compute roles, see User roles.

Recommended For You