Create and Manage Account Groups on Prisma Cloud

Learn how to create and manage Account groups on Prisma Cloud.
You can use Account Groups to combine access to multiple cloud accounts with similar or different applications that span multiple divisions or business units, so that you can manage administrative access to these accounts from Prisma Cloud.
When you onboard a cloud account to Prisma Cloud, you can assign the cloud account to one or more account groups, and then assign the account group to Prisma Cloud Administrator Roles. Assigning an account group to an administrative user on Prisma Cloud allows you to restrict access only to the resources and data that pertains to the cloud account(s) within an account group. Alerts on Prisma Cloud are applied at the cloud account group level, which means you can setup separate alert rules and notification flows for different cloud environments. In addition, you also have the ability to create nested account groups which provides you more flexibility with mapping out your internal hierarchy.

Create an Account Group

  1. Select
    Settings
    Account Groups
    Add Account Group
    .
  2. Enter a
    Name
    and
    Description
    for the new Account Group.
  3. Select the cloud accounts that you want to group together in this account group and click
    Save
    .
    These are the list of cloud accounts that you have onboarded and are monitoring on Prisma Cloud. You can also nest account groups so that you can map out your organization in a hierarchal manner.
  4. Enter the Account IDs for cloud accounts for which you want visibility on
    Compute
    .
    For the cloud service providers that are supported on Prisma Cloud Compute, even if you have not onboarded the cloud account and are not using Prisma Cloud for compliance and governance, you can add the Account IDs manually. You must provide the Account ID, the account name is not a unique identifier and is not used to retrieve information from the cloud service provider.
    This option enables you to view data collected from Defenders running on workloads across these cloud service providers on
    Compute
    Radar
    .

Create Nested Account Groups

Create nested account groups and gain more flexibility in mapping out the internal hierarchy of your organization.
Prisma™ Cloud enables you to nest account groups which provides greater flexibility into how to map out your organization’s internal hierarchy and delegate permissions. A nested account group has one or more account groups that are organized in a parent-child hierarchy. Parents can have a combination of children and directly associated accounts, and they will be able to view all of the assets or alerts of the parent account group and that of their children.
The following workflow creates an account group and then places itinside of a parent. An account group becomes a child when it’s placed inside of a parent.
  1. Verify that your Prisma Cloud tenant is on Alerts 2.0.
    This feature is available to customers on Alerts 2.0. Please contact your Prisma Cloud account or customer success team to enable this feature on your tenant.
  2. Create an account group.
    1. Select
      Settings
      Account Groups
      Add Account Group
      .
    2. Enter a
      name
      ,
      description
      , and (
      optionally
      ) select cloud accounts to add to the account group and click
      Save
      .
  3. Nest the account group.
    In this example, we’re selecting one account group to be a child, but depending on your use case you’re allowed to select up to 300 account groups to be children.
    1. Repeat steps 1-2 to add another account group.
    2. Select the
      Make this a parent account group
      check box.
      Click
      Account Groups Selected
      and select the two children account groups you previously created and click
      Save
      .
      The ( ) icon indicates that a child account is already part of another parent. If you choose to include it in the parent account group you are currently creating, it will be moved from the former parent account group to the new one. This may result in alerts being marked as
      Resolved
      .
  4. Assign a parent account group to a role.
    You have the option of creating a new role or assigning the parent account group to an existing one. Any user assigned with that role will be able to view the assets and alerts that belongs to the parent account group, along with all their child account groups and cloud accounts.
    1. Add a new role.
      Select
      Settings
      Roles
      Add Role
      .
    2. Enter the new role details.
      Enter
      Name
      ,
      Description
      , select
      Permission Group
      and click
      Account Groups
      to choose your parent account group.
    3. (
      Optional
      ) Assign the parent account group to an existing role.
      Select
      Settings
      Roles
      , and then select a role from the
      Name
      column.
    4. (
      Optional
      ) Select the
      Account Group
      dialog box and choose the parent account groups you want to add.
  5. View the parent account group data.
    You can view your parent account group data from the
    SecOps
    ,
    Asset Inventory
    , and
    Compliance
    dashboards, and the
    Investigate
    page.
    1. View parent account groups in the
      SecOps
      dashboard.
      Navigate to the
      SecOps
      dashboard by selecting
      Dashboard
      SecOps
      and then click
      Account Groups
      . Select the parent account group you created to view its data along with its children account groups.
    2. View the parent account groups in the
      Asset Inventory
      dashboard.
      Navigate to
      Inventory
      Assets
      , and select the account groups to filter in the
      Account Group
      search field.
    3. View the parent account groups in the Compliance dashboard.
      Navigate to
      Compliance
      Overview
      , and select the account groups to filter in the
      Account group
      search field.
    4. View the parent account groups in the Inventory page.
      Navigate to
      Investigate
      and enter the following query:
      config from cloud.resource where cloud.accountgroup =

Manage Account Groups

To view and manage account groups:
  1. Select
    Settings
    Account Groups
    .
  2. To edit the details of an Account Group, click the record and change any details.
    indicates account groups that are automatically created and therefore cannot be edited. These account groups are created when onboard a cloud account and enable
    Auto Map
    to automatically create account groups that match your organizational hierarchy.
  3. To clone an Account Group, hover over the account group and click
    Clone
    .
    Cloning an account group is creating a copy of an existing account group. Cloning serves as a quick method of creating a new account group if you choose to change few details of the source account group.
  4. To delete an Account Group, hover over the account group and click
    Delete
    .

Recommended For You