Create Prisma Cloud Roles

Create Prisma Cloud roles to restrict user access to cloud accounts within an account group.
Roles on Prisma Cloud enable you to specify what permissions an administrator has, and to which cloud accounts they have access, what policies they can apply, and how they interact with alerts and reports, for example.
When you create a cloud account, you can assign one or more cloud account to account group(s) and then attach the account group to the role you create. This flow allows you to ensure the user/administrator who has the role can access the information related to only the cloud account(s) to which you have authorized access.
  1. Select
    Settings
    Roles
    Add Role
    .
  2. Enter a name and a description for the role.
  3. Select a permission group.
    See Prisma Cloud Administrator Roles for a description of the following permission groups.
    • Select
      System Admin
      to allow full access and control over all sections of Prisma Cloud including overall administration settings and permissions management. To limit access to the Compute capabilities and APIs that enable you to secure your host, serverless, and container deployments, select
      Only for Compute capabilities
      .
    • Select
      Account Group Admin
      to allow full access over designated accounts including a subset of administration settings and permissions management for the designated
      Account Groups
      you specify. By default an Account Group Admin has the ability to dismiss, snooze, and resolve alerts that are generated against all policies included in an alert rule defined by the System Admin. You can, however, restrict the ability dismiss or resolve alerts.
    • Select
      Account ReadOnly
      to allow read access to designated accounts across Prisma Cloud administrative console, excluding any administration settings and permissions management.
    • Select
      Account and Cloud Provisioning Admin
      —to enable an administrator who is responsible for a line of business.With this role the permissions allow you to onboard cloud accounts, and access the dashboard, manage the security policies, investigate issues, view alerts and compliance details for the designated
      Account Groups
      you specify. By default an Account and Cloud Provisioning Admin has the ability to dismiss, snooze, and resolve alerts that are generated against all policies included in an alert rule defined by the System Admin. You can, however, restrict the ability dismiss or resolve alerts.
    • Select
      Cloud Provisioning Admin
      to onboard and manage cloud accounts from the admin console and through APIs. They can also create and manage Account Groups. They do not have access to any other Prisma Cloud features.
    • Select
      Build and Deploy Security
      to enable DevOps users who need access to a subset of
      Compute
      capabilities and/or API access to run IDE, SCM and CI/CD plugins for Infrastructure as Code and image vulnerabilities scans.
    • Select
      NetSecOps
      to enable your users from your Network Security and Operations team to access the
      Network Security
      capabilities and enable identity-based microsegmentation for securing hosts and containers in any cloud.
      (
      Optional
      ) To restrict to read-only access, select
      Read-only access to network security module
      .
  4. Click
    View Permissions
    to see the permissions associated with every permission group. Prisma Cloud Administrator Permissions displays what permissions each group has within Prisma Cloud.
  5. (
    Optional
    ) Restrict the ability dismiss or resolve alerts.
    If you would like to ensure that only the System Admin role can manage alerts associated with a policy defined by a system administrator, select
    Restrict alert dismissal
    . When enabled, an administrator with any other role such as Account Group Admin or Account and Cloud Provisioning Admin roles cannot dismiss or resolve alerts.
  6. (
    Optional
    ) Limit access the Prisma Cloud Compute capabilities only.
    If you would like to ensure that permissions for the role is restricted to the Compute tab and the ability to generate Access Keys on the Prisma Cloud console, select
    Only for Compute capabilities
    . When enabled, for the assigned role, an administrator does not have access to the rest of the Prisma Cloud console.
  7. (
    Optional
    ) Enable access to data collected from scanned Compute resources such as images, hosts, or containers.
    Select
    On-prem/Other cloud providers
    , if you would like to ensure that the roles—Account Group Admin, Account Group Read Only, and Account and Cloud Provisioning Admin—can view data sent from Prisma Cloud Defenders deployed on resources hosted on-premises or on cloud platforms deployed on private or public cloud platforms that are not being monitored by Prisma Cloud, such as on OpenShift, on-prem Kubernetes clusters, or AWS Fargate. When you enable this option, administrators who are assigned the role can view data collected from Defenders on the
    Compute
    tab.
  8. (
    Optional
    ) Select
    Resource Lists
    .
    If you would like to ensure that the roles—Account Group Admin, Account Group Read Only, Account and Cloud Provisioning Admin, and Build and Deploy Security—can view scan results sent from Prisma Cloud plugins on the
    DevOps Inventory
    , select the resource list from the drop-down. Users who are assigned the role can review scan results that match the tags specified in the resource lists.
  9. Select Account Groups that you want to associate with this role and click
    Save
    .

Recommended For You