Prisma Cloud Compute User Roles
If you are migrating from Prisma Cloud Compute Edition (self-hosted) to Prisma Cloud Enterprise Edition, the following table help you map roles and permissions for Prisma Cloud platform and the Compute roles.
In Prisma Cloud Enterprise Edition, permission groups determine what a user can do and see in Prisma Cloud UI, and the APIs he or she can access.
You can assign permission groups to user roles to control their level of access on Prisma Cloud.
Prisma Cloud Permission Group to Compute Role mapping
The following table summarizes the Permission groups available in Prisma Cloud and their mapping to Compute Console.
Prisma Cloud Permission Group | Compute Role | Access level | Typical uses case(s) |
|---|---|---|---|
System Admin (supports Compute-only check) | Administrator | Full read-write access to all Prisma Cloud settings and data. | Security administrators. |
Account & Cloud Provisioning Admin (supports Compute-only check) | Auditor | Read-only access to all Prisma Cloud Compute rules and data. | Auditors and compliance staff that need to verify settings and monitor compliance. |
Cloud Provisioning Admin | Defender Manager | Install, manage, and remove Defenders from your environment. | DevOps team members that need to manage Defender deployments without sysadmin privileges. Note : The permission groups you assign here only restrict access to what the user can do and see on the administrative Console. Defenders will collect and share information without differentiating which user deployed them. |
Account Group Admin (supports Compute-only check) | Auditor | Read-only access to all Prisma Cloud Compute rules and data. | Auditors and compliance staff that need to verify settings and monitor compliance. |
Account Group Read Only (supports Compute-only check) | DevSecOps User | Read-only access to all results under Radar and Monitor , but no access to view or change policy or settings. | DevSecOps personnel. |
Build and Deploy Security | DevOps User | Read-only access to the Prisma Cloud CI vulnerability and compliance scan reports only. | Developer, Operations, and DevOps personnel that need to know about and/or address the vulnerabilities in your environment. |
Build and Deploy Security (" Only Access Key " selection) | CI User | Run the Continuous Integration plugins, IaC scans, IDE plugins only. | CI Users can only run the plugin and have no other access to configure Prisma Cloud. |
Only for Compute Capabilities checkbox
This checkbox is available for Admin and Read-Only user roles - Auditor and DevSecOps.
When assigned, users will be given access to only
the Compute tab and Access keys tab in the Prisma Cloud platform.
All other tabs, such as Policy, Asset Inventory, etc, will be hidden from view.On-prem/Other cloud providers
You can assign read only roles to view data from Defenders that are deployed on hosts outside of supported cloud providers for Cloud Account discovery in Compute (i.e AWS, Azure, GCP, Alibaba). e.g. OpenShift on VMware vSphere inside private datacenter. Other clouds (e.g. Oracle, IBM, etc)Users with read-only permission to Compute Console only see data from cloud accounts they have access to (in Prisma).
For example, read-only user John who is assigned access to onboarded accounts from AWS in Prisma Cloud but no access to accounts from GCP and Azure. When John selects the Compute tab, he can only view data coming from Defenders in the assigned AWS account and no other Defenders.
Only system admin permission group users can manage/view data coming from all Defenders in Compute. This includes data from cloud accounts that may not be onboarded in Prisma Cloud.
DevOps/CI users only have access to CI/CD scans hence the account filtering mentioned above does not apply to these users.
Only Admin can create collections in Compute. Collections for Read-Only users are visible according to the cloud accounts they are assigned in Prisma Cloud and the subsets of those resources created in manual collections by Admins.