Create and Manage Account Groups on Prisma Cloud
Learn how to create and manage Account groups on Prisma Cloud.
You can use Account Groups to combine access to multiple cloud accounts with similar or different applications that span multiple divisions or business units, so that you can manage administrative access to these accounts from Prisma Cloud.
When you onboard a cloud account to Prisma Cloud, you can assign the cloud account to one or more account groups, and then assign the account group to Prisma Cloud Administrator Roles. Assigning an account group to an administrative user on Prisma Cloud allows you to restrict access only to the resources and data that pertains to the cloud account(s) within an account group. Alerts on Prisma Cloud are applied at the cloud account group level, which means you can setup separate alert rules and notification flows for different cloud environments. In addition, you also have the ability to create nested account groups which provides you more flexibility with mapping out your internal hierarchy.
Create an Account Group
- Select.SettingsAccount GroupsAdd Account Group
- Enter aNameandDescriptionfor the new Account Group.
- Select the cloud accounts that you want to group together in this account group and clickSave.These are the list of cloud accounts that you have onboarded and are monitoring on Prisma Cloud. You can also nest account groups so that you can map out your organization in a hierarchal manner.
- Enter the Account IDs for cloud accounts for which you want visibility onCompute.For the cloud service providers that are supported on Prisma Cloud Compute, you can add the Account IDs manually, even if you have not onboarded the cloud account and are not using Prisma Cloud for compliance and governance. Adding the account IDs manually enables you to assign these accounts to users for role-based access control on Compute so that they can view data collected from Defenders running on workloads across these cloud service providers on.ComputeRadarYou must provide the Account ID, the account name is not a unique identifier and is not used to retrieve information from the cloud service provider.
Create Nested Account Groups
Create nested account groups and gain more flexibility in mapping out the internal hierarchy of your organization.
Prisma™ Cloud enables you to nest account groups which provides greater flexibility into how to map out your organization’s internal hierarchy and delegate permissions. A nested account group has one or more account groups that are organized in a parent-child hierarchy. Parents can have a combination of children and directly associated accounts, and they will be able to view all of the assets or alerts of the parent account group and that of their children.
The following workflow creates an account group and then places it inside of a parent. An account group becomes a child when it is placed inside of a parent.
- Verify that your Prisma Cloud tenant is on Alerts 2.0.This feature is available to customers on Alerts 2.0. Please contact your Prisma Cloud account or customer success team to enable this feature on your tenant.
- Create an account group.
- Select.SettingsAccount GroupsAdd Account Group
- Enter aname,description, and (optionally) select cloud accounts to add to the account group and clickSave.
- Nest the account group.In this example, we’re selecting one account group to be a child, but depending on your use case you’re allowed to select up to 300 account groups to be children.
- Repeat steps 1-2 to add another account group.
- Select theMake this a parent account groupcheck box.ClickAccount Groups Selectedand select the two children account groups you previously created and clickSave.The ( ) icon indicates that a child account is already part of another parent. If you choose to include it in the parent account group you are currently creating, it will be moved from the former parent account group to the new one. This may result in alerts being marked asResolved.
- Assign a parent account group to a role.You have the option of creating a new role or assigning the parent account group to an existing one. Any user assigned with that role will be able to view the assets and alerts that belongs to the parent account group, along with all their child account groups and cloud accounts.
- Add a new role.Select.SettingsRolesAdd Role
- Enter the new role details.EnterName,Description, selectPermission Groupand clickAccount Groupsto choose your parent account group.
- (Optional) Assign the parent account group to an existing role.Select, and then select a role from theSettingsRolesNamecolumn.
- (Optional) Select theAccount Groupdialog box and choose the parent account groups you want to add.
- View the parent account group data.You can view your parent account group data from theSecOps,Asset Inventory, andCompliancedashboards, and theInvestigatepage.
- View parent account groups in theSecOpsdashboard.Navigate to theSecOpsdashboard by selectingand then clickDashboardSecOpsAccount Groups. Select the parent account group you created to view its data along with its children account groups.
- View the parent account groups in theAsset Inventorydashboard.Navigate to, and select the account groups to filter in theInventoryAssetsAccount Groupsearch field.
- View the parent account groups in the Compliance dashboard.Navigate to, and select the account groups to filter in theComplianceOverviewAccount groupsearch field.
- View the parent account groups in the Inventory page.Navigate toInvestigateand enter the following query:config from cloud.resource where cloud.accountgroup =
Manage Account Groups
To view and manage account groups:
- Select.SettingsAccount Groups
- To edit the details of an Account Group, click the record and change any details.indicates account groups that are automatically created and therefore cannot be edited. These account groups are created when onboard a cloud account and enableAuto Mapto automatically create account groups that match your organizational hierarchy.
- To clone an Account Group, hover over the account group and clickClone.Cloning an account group is creating a copy of an existing account group. Cloning serves as a quick method of creating a new account group if you choose to change few details of the source account group.
- To delete an Account Group, hover over the account group and clickDelete.
Recommended For You
Recommended videos not found.