Create Prisma Cloud Roles
Create Prisma Cloud roles to restrict user access to cloud accounts within an account group.
Roles on Prisma Cloud enable you to specify what permissions an administrator has, and to which cloud accounts they have access, what policies they can apply, and how they interact with alerts and reports, for example.
When you create a cloud account, you can assign one or more cloud account to account group(s) and then attach the account group to the role you create. This flow allows you to ensure the user/administrator who has the role can access the information related to only the cloud account(s) to which you have authorized access.
- Select .
- Enter a name and a description for the role.
- Select a permission group.See Prisma Cloud Administrator Roles for a description of the following permission groups.
- SelectSystem Adminto allow full access and control over all sections of Prisma Cloud including overall administration settings and permissions management. To limit access to the Compute capabilities and APIs that enable you to secure your host, serverless, and container deployments, selectOnly for Compute capabilities.
- SelectAccount Group Adminto allow full access over designated accounts including a subset of administration settings and permissions management for the designatedAccount Groupsyou specify. By default an Account Group Admin has the ability to dismiss, snooze, and resolve alerts that are generated against all policies included in an alert rule defined by the System Admin. You can, however, restrict the ability dismiss or resolve alerts.
- SelectAccount ReadOnlyto allow read access to designated accounts across Prisma Cloud administrative console, excluding any administration settings and permissions management.
- SelectAccount and Cloud Provisioning Admin—to enable an administrator who is responsible for a line of business.With this role the permissions allow you to onboard cloud accounts, and access the dashboard, manage the security policies, investigate issues, view alerts and compliance details for the designatedAccount Groupsyou specify. By default an Account and Cloud Provisioning Admin has the ability to dismiss, snooze, and resolve alerts that are generated against all policies included in an alert rule defined by the System Admin. You can, however, restrict the ability dismiss or resolve alerts.
- SelectCloud Provisioning Adminto onboard and manage cloud accounts from the admin console and through APIs. They can also create and manage Account Groups. They do not have access to any other Prisma Cloud features.
- SelectBuild and Deploy Securityto enable DevOps users who need access to a subset ofComputecapabilities and/or API access to run IDE, SCM and CI/CD plugins for Infrastructure as Code and image vulnerabilities scans.
- SelectDeveloperrole to enable limited access to developers who use the Code Security scanning capabilities. The developers who are assigned this role can generate access keys, and view IaC scan results onCode Securityincluding the ability to fix issues.
- SelectNetSecOpsto enable your users from your Network Security and Operations team to access theNetwork Securitycapabilities and enable identity-based microsegmentation for securing hosts and containers in any cloud.(Optional) To restrict to read-only access, selectRead-only access to network security module.
- ClickView Permissionsto see the permissions associated with every permission group. Prisma Cloud Administrator Permissions displays what permissions each group has within Prisma Cloud.
- (Optional) Restrict the ability dismiss or resolve alerts.If you would like to ensure that only the System Admin role can manage alerts associated with a policy defined by a system administrator, selectRestrict alert dismissal. When enabled, an administrator with any other role such as Account Group Admin or Account and Cloud Provisioning Admin roles cannot dismiss or resolve alerts.
- (Optional) Limit access the Prisma Cloud Compute capabilities only.If you would like to ensure that permissions for the role is restricted to the Compute tab and the ability to generate Access Keys on the Prisma Cloud console, selectOnly for Compute capabilities. When enabled, for the assigned role, an administrator does not have access to the rest of the Prisma Cloud console.
- (Optional) Enable access to data collected from scanned Compute resources such as images, hosts, or containers.SelectOn-prem/Other cloud providers, if you would like to ensure that the roles—Account Group Admin, Account Group Read Only, and Account and Cloud Provisioning Admin—can view data sent from Prisma Cloud Defenders deployed on resources hosted on-premises or on cloud platforms deployed on private or public cloud platforms that are not being monitored by Prisma Cloud, such as on OpenShift, on-prem Kubernetes clusters, or AWS Fargate. When you enable this option, administrators who are assigned the role can view data collected from Defenders on theComputetab.
- (Optional) SelectResource Lists.If you would like to ensure that the roles—Account Group Admin, Account Group Read Only, Account and Cloud Provisioning Admin, and Build and Deploy Security—can view scan results sent from Prisma Cloud plugins on theDevOps Inventory, select the resource list from the drop-down. Users who are assigned the role can review scan results that match the tags specified in the resource lists.
- Select Account Groups that you want to associate with this role and clickSave.
