Document:Prisma Cloud Administrator’s Guide (Compute)

Assign roles

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Cluster Context
- Deploy Prisma Cloud Defenders
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Agentless Scanning Modes
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Assign roles

After creating a user or group, you can assign roles to it. Roles determine the level of access to Prisma Cloud’s data and settings.

Creating and Assigning roles to Compute Users in Prisma Cloud

There are a set of permissions that can be applied to a role while creating it.

Permission Group and Advanced Options

Each of the permission groups in platform are mapped to Compute User roles. For more information see Prisma Cloud User Roles mapping.

Account Groups

You can assign onboarded cloud accounts in Prisma Cloud for RBAC access to Compute resources.

Starting in Hamilton release, you can type "Account IDs" as string in the Non-Onboarded Account IDs
field to give RBAC access to data in Compute from accounts that are not onboarded in Prisma Cloud.

The following Account group consists of some onboarded cloud accounts and an additional account with ID "gcp-prod".

A wildcard for this textbox will be treated as "All" accounts regardless of onboarded or not, where account ID metadata is available. This doesn’t apply to Windows Defenders or other environments where cloud account metadata is not available.

Resource Lists

Starting in Hamilton release, you can assign Resource lists with type Compute Access Groups
in conjunction with Account Groups to Compute users.

These lists provide a light-weight mechanism to provision least-privilege access to the resources in your environment.

You can assign these to specific users and groups to limit their view of data and resources in the Compute Console.

Some entities like CI functions aren’t updated with new Compute Access group lists. Only the lists matched during the time of the scan.

These lists define an "and" relationship between resources, so creating a Compute access group with functions: myfuncs* and images: myImages* will match with nothing because a function doesn’t contain an image and an image doesn’t include a function.

Open Prisma Cloud Console, and log in with your admin credentials.

Go to Settings > Resource Lists
.

Click Add Resource List
.

Select Compute Access Group
.

In the Add Resource List dialog, enter a name, description, and then specify a filter to target specific resources.

For example, the access group named 'Compute production hosts only' here gives access to Compute resources filtered on hosts where host name starts with 'production'.

For more information on syntax that can be used in the filter fields (e.g., containers, images, hosts, etc), see Rule ordering and pattern matching.

Individual filters on each field in Compute Access group aren’t applicable to all views. For example, a group created with only functions won’t include any resources when viewing hosts results. Similarly, a group created with hosts won’t filter images by hosts when viewing image results.

Assigning Roles to User

Use a combination of the above fields to assign created roles to users

If a role allows access to policies, users with this role will be able to see all rules under the Defend section, even if the user’s view of the environment is restricted by assigned Compute Access Groups.

Navigate to Settings > Users
.

Add new user or search for an existing user.

Assign role(s) to the user. When a role contains multiple Compute Access groups, the effective scope is the union of each individual query.

Changes to a user’s Compute access group takes affect at login. For an active session, newly created Compute Access groups are synced with Compute Console every 30 minutes.

Limitations

Different views in Console are filtered by different resource types.

If a Compute Access group specifies resources that are unrelated to the view, Access by this list returns an empty result.

Section	View	Supported resources in collection
Monitor/Vulnerabilities Monitor/Compliance	Images	Images, Hosts, Namespaces, Clusters, Labels, Cloud Account IDs
Monitor/Vulnerabilities Monitor/Compliance	Registry images	Images, Hosts (of the scanner host), Labels, Cloud Account IDs
Monitor/Vulnerabilities Monitor/Compliance	Containers	Images, Containers, Hosts, Namespaces, Clusters, Labels, Cloud Account IDs

Document:Prisma Cloud Administrator’s Guide (Compute)

Assign roles

Table of Contents

Assign roles

Creating and Assigning roles to Compute Users in Prisma Cloud

Permission Group and Advanced Options

Account Groups

Resource Lists

Assigning Roles to User

Limitations