Add users

About adding users

To add users, your user account must be in the
System Admin
permission group.
To allow users not in the
System Admin
permission group to access Microsegmentation, select the procedure that corresponds to your preferred interface.

Adding users from the web interface

  1. Expand
    Microsegmentation
    and navigate to the top-level namespace. For example,
    /803920923337065472
    .
  2. Select
    Namespaces
    , click
    Authorizations
    , click the
    Create
    button, and select
    Create a New API Authorization Policy
    .
  3. Type the name of the policy. You could use the name of the user that you are adding. For example,
    aoperator
    .
  4. Click
    Next
    .
  5. In the
    Subject
    field, type @auth:subject=, then type the email address of the user, and press ENTER. For example, @auth:subject=aoperator@acme.com.
  6. Remaining in the
    Subject
    field, type @auth:userroletypename=, then type the permission group of the user, and press ENTER. For example, @auth:userroletypename=Account Group Admin.
  7. Remaining in the
    Subject
    field, type @auth:realm=pcidentitytoken and press ENTER.
  8. Confirm that all of the Microsegmentation tags are connected by and.
  9. Click
    Next
    .
  10. If you wish to require the user to make their requests from a certain IP address or CIDR(s), provide these details. Otherwise, click
    Next
    .
  11. Select the Microsegmentation role or roles the user should have.
  12. Click
    Create
    .
  13. Have the user verify their access.

Adding users from the command line

  1. Ensure that you have apoctl.
  2. Set a USER_EMAIL environment variable containing the email address of the user. An example follows.
    export USER_EMAIL=aoperator@acme.com echo $USER_EMAIL
  3. Set a USER_NS environment variable containing the Microsegmentation namespace the user should be able to access. The user will be able to access the namespace that you specify as well as all of its children. An example follows.
    export USER_NS=/803920923337065472/cloud/group echo $USER_NS
  4. Set a ROLE environment variable containing the name of the user’s role. See Microsegmentation user roles below for a list of possibilities.
    export ROLE=namespace.administrator echo $ROLE
  5. Set a PERMISSION_GROUP environment variable containing the Prisma Cloud permission group of the user.
    export PERMISSION_GROUP="Account Group Admin" echo $PERMISSION_GROUP
  6. Use the following command to create an API authorization for the user.
    cat <<EOF | apoctl api create apiauthorizationpolicies -n $MICROSEG_NS -f - name: aoperator authorizedIdentities: ** '@auth:role=$ROLE' authorizedNamespace: $USER_NS subject: ** {blank} *** '@auth:subject=$USER_EMAIL' *** '@auth:userroletypename=$PERMISSION_GROUP' *** '@auth:realm=pcidentitytoken' EOF
    You can optionally require the user to log in from one or more specified subnets by including the authorizedSubnets key, as shown below.
    authorizedSubnets: ** 100.99.35.0/24 ** 100.98.34.0/24
  7. Have the user verify their access.

Microsegmentation user roles

In the following table, we provide the names of the primary Microsegmentation roles and their associated privileges.
apoctl role name
Web interface role name
Privileges
Application Developer
Create, read, update, and delete permissions on network policies, external networks, and processing units in the namespace
Application Viewer
Read permissions on network policies, external networks, and processing units
Infrastructure Administrator
Read permissions on namespaces; create, read, update, and delete on all other resources in the namespace
Infrastructure Viewer
Read permissions on all resources in the namespace
Namespace Administrator
Create, read, update, and delete permissions on all resources in the namespace
Namespace Viewer
Read permissions on all resources in the namespace

Recommended For You