Assign roles

After creating a user or group, you can assign roles to it. Roles determine the level of access to Prisma Cloud’s data and settings.

Creating and Assigning roles to Compute Users in Prisma Cloud

There are a set of permissions that can be applied to a role while creating it.

Permission Group and Advanced Options

Each of the permission groups in platform are mapped to Compute User roles. For more information see Prisma Cloud User Roles mapping.

Account Groups

  • You can assign onboarded cloud accounts in Prisma Cloud for RBAC access to Compute resources.
  • Starting in Hamilton release, you can type "Account IDs" as string in the
    Non-Onboarded Account IDs
    field to give RBAC access to data in Compute from accounts that are not onboarded in Prisma Cloud.
  • The following Account group consists of some onboarded cloud accounts and an additional account with ID "gcp-prod".
    A wildcard for this textbox will be treated as "All" accounts regardless of onboarded or not, where account ID metadata is available. This doesn’t apply to Windows Defenders or other environments where cloud account metadata is not available.

Resource Lists

Starting in Hamilton release, you can assign Resource lists with type
Compute Access Groups
in conjunction with Account Groups to Compute users.
These lists provide a light-weight mechanism to provision least-privilege access to the resources in your environment.
You can assign these to specific users and groups to limit their view of data and resources in the Compute Console.
Some entities like CI functions aren’t updated with new Compute Access group lists. Only the lists matched during the time of the scan.
These lists define an "and" relationship between resources, so creating a Compute access group with functions: myfuncs* and images: myImages* will match with nothing because a function doesn’t contain an image and an image doesn’t include a function.
  1. Open Prisma Cloud Console, and log in with your admin credentials.
  2. Go to
    Settings > Resource Lists
  3. Click
    Add Resource List
    1. Select
      Compute Access Group
    2. In the Add Resource List dialog, enter a name, description, and then specify a filter to target specific resources.
      1. For example, the access group named 'Compute production hosts only' here gives access to Compute resources filtered on hosts where host name starts with 'production'.
        For more information on syntax that can be used in the filter fields (e.g., containers, images, hosts, etc), see Rule ordering and pattern matching.
        Individual filters on each field in Compute Access group aren’t applicable to all views. For example, a group created with only functions won’t include any resources when viewing hosts results. Similarly, a group created with hosts won’t filter images by hosts when viewing image results.

Assigning Roles to User

Use a combination of the above fields to assign created roles to users
If a role allows access to policies, users with this role will be able to see all rules under the Defend section, even if the user’s view of the environment is restricted by assigned Compute Access Groups.
  1. Navigate to
    Settings > Users
  2. Add new user or search for an existing user.
  3. Assign role(s) to the user. When a role contains multiple Compute Access groups, the effective scope is the union of each individual query.
    Changes to a user’s Compute access group takes affect at login. For an active session, newly created Compute Access groups are synced with Compute Console every 30 minutes.


Different views in Console are filtered by different resource types.
If a Compute Access group specifies resources that are unrelated to the view, Access by this list returns an empty result.
Supported resources in collection
Images, Hosts, Namespaces, Clusters, Labels, Cloud Account IDs
Registry images
Images, Hosts (of the scanner host), Labels, Cloud Account IDs
Images, Containers, Hosts, Namespaces, Clusters, Labels, Cloud Account IDs