1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Manage Prisma Cloud Administrators
    6. Create and Manage Account Groups on Prisma Cloud

    Create and Manage Account Groups on Prisma Cloud

    Learn how to create and manage Account groups on Prisma Cloud.
    You can use Account Groups to combine access to multiple cloud accounts with similar or different applications that span multiple divisions or business units, so that you can manage administrative access to these accounts from Prisma Cloud.
    When you onboard a cloud account to Prisma Cloud, you can assign the cloud account to one or more account groups, and then assign the account group to Prisma Cloud Administrator Roles. Assigning an account group to an administrative user on Prisma Cloud allows you to restrict access only to the resources and data that pertains to the cloud account(s) within an account group. Alerts on Prisma Cloud are applied at the cloud account group level, which means you can setup separate alert rules and notification flows for different cloud environments. In addition, you also have the ability to create nested account groups which provides you more flexibility with mapping out your internal hierarchy.

    Create an Account Group

    1. Select
      Settings
      Account Groups
      Add Account Group
      .
    2. Enter a
      Name
       and
      Description
       for the new Account Group.
    3. Select the cloud accounts that you want to group together in this account group and click
      Save
      .
      These are the list of cloud accounts that you have onboarded and are monitoring on Prisma Cloud. You can also nest account groups so that you can map out your organization in a hierarchal manner.
    4. Enter the Account IDs for cloud accounts for which you want visibility on
      Compute
      .
      For the cloud service providers that are supported on Prisma Cloud Compute, you can add the Account IDs manually, even if you have not onboarded the cloud account and are not using Prisma Cloud for compliance and governance. Adding the account IDs manually enables you to assign these accounts to users for role-based access control on Compute so that they can view data collected from Defenders running on workloads across these cloud service providers on
      Compute
      Radar
      .
      You must provide the Account ID, the account name is not a unique identifier and is not used to retrieve information from the cloud service provider.

    Create Nested Account Groups

    Create nested account groups and gain more flexibility in mapping out the internal hierarchy of your organization.
    Prisma™ Cloud enables you to nest account groups which provides greater flexibility into how to map out your organization’s internal hierarchy and delegate permissions. A nested account group has one or more account groups that are organized in a parent-child hierarchy. Parents can have a combination of children and directly associated accounts, and they will be able to view all of the assets or alerts of the parent account group and that of their children.
    The following workflow creates an account group and then places it inside of a parent. An account group becomes a child when it is placed inside of a parent.
    1. Verify that your Prisma Cloud tenant is on Alerts 2.0.
      This feature is available to customers on Alerts 2.0. Please contact your Prisma Cloud account or customer success team to enable this feature on your tenant.
    2. Create an account group.
      1. Select
        Settings
        Account Groups
        Add Account Group
        .
      2. Enter a
        name
        ,
        description
        , and (
        optionally
        ) select cloud accounts to add to the account group and click
        Save
        .
    3. Nest the account group.
      In this example, we’re selecting one account group to be a child, but depending on your use case you’re allowed to select up to 300 account groups to be children.
      1. Repeat steps 1-2 to add another account group.
      2. Select the
        Make this a parent account group
         check box.
        Click
        Account Groups Selected
         and select the two children account groups you previously created and click
        Save
        .
        The ( ) icon indicates that a child account is already part of another parent. If you choose to include it in the parent account group you are currently creating, it will be moved from the former parent account group to the new one. This may result in alerts being marked as
        Resolved
        .
    4. Assign a parent account group to a role.
      You have the option of creating a new role or assigning the parent account group to an existing one. Any user assigned with that role will be able to view the assets and alerts that belongs to the parent account group, along with all their child account groups and cloud accounts.
      1. Add a new role.
        Select
        Settings
        Roles
        Add Role
        .
      2. Enter the new role details.
        Enter
        Name
        ,
        Description
        , select
        Permission Group
         and click
        Account Groups
         to choose your parent account group.
      3. (
        Optional
        ) Assign the parent account group to an existing role.
        Select
        Settings
        Roles
        , and then select a role from the
        Name
         column.
      4. (
        Optional
        ) Select the
        Account Group
         dialog box and choose the parent account groups you want to add.
    5. View the parent account group data.
      You can view your parent account group data from the
      SecOps
      ,
      Asset Inventory
      , and
      Compliance
       dashboards, and the
      Investigate
       page.
      1. View parent account groups in the
        SecOps
         dashboard.
        Navigate to the
        SecOps
         dashboard by selecting
        Dashboard
        SecOps
         and then click
        Account Groups
        . Select the parent account group you created to view its data along with its children account groups.
      2. View the parent account groups in the
        Asset Inventory
         dashboard.
        Navigate to
        Inventory
        Assets
        , and select the account groups to filter in the
        Account Group
         search field.
      3. View the parent account groups in the Compliance dashboard.
        Navigate to
        Compliance
        Overview
        , and select the account groups to filter in the
        Account group
         search field.
      4. View the parent account groups in the Inventory page.
        Navigate to
        Investigate
         and enter the following query:
        config from cloud.resource where cloud.accountgroup =

    Manage Account Groups

    To view and manage account groups:
    1. Select
      Settings
      Account Groups
      .
    2. To edit the details of an Account Group, click the record and change any details.
      indicates account groups that are automatically created and therefore cannot be edited. These account groups are created when onboard a cloud account and enable
      Auto Map
       to automatically create account groups that match your organizational hierarchy.
    3. To clone an Account Group, hover over the account group and click
      Clone
      .
      Cloning an account group is creating a copy of an existing account group. Cloning serves as a quick method of creating a new account group if you choose to change few details of the source account group.
    4. To delete an Account Group, hover over the account group and click
      Delete
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo