Prisma Cloud Administrator Permissions
View a list of the access privileges associated with
each Prisma Cloud role
The following tables provides a list
of the access privileges associated with each role for different
parts of the Prisma Cloud administrative console.
See Prisma Cloud Administrator Roles for details
on how to create roles and assign access to account groups or repositories
to
designate
what a user is allowed to view; details on permissions
for Prisma Cloud Compute roles.Roles that enable
access to all areas of the Prisma Cloud administrative console
Compute Role Prisma Cloud Role | Sys Admin System Admin | Auditor Account Group Admin | Defender Manager Cloud Provisioning Admin | Auditor Account and Cloud Provisioning Admin | DevOps Build and Deploy Security | CI Build and Deploy Security | DevSecOps Account Group Read Only | DevOps Developer |
---|---|---|---|---|---|---|---|---|
Dashboard | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Inventory | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Save Asset filter(s) | All accounts | Designated accounts | No | Designated accounts | No | No | Designated Accounts | No |
Delete Asset Filter(s) | Yes | Users in this role | No | Users in this role | No | No | Users in this role | No |
Investigate | ||||||||
Running Queries | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Save Searches | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Edit / Delete Saved Search | Yes | Users in this role | No | Users in this role | No | No | Users in this role | No |
Policies | ||||||||
View Policy | Yes | Yes | No | Yes | No | No | Yes | No |
Create Policy | Yes | Yes | No | Yes | No | No | No | No |
Add/Edit CLI Remediation in Policy | Yes | No | No | No | No | No | No | No |
Edit / Delete / Disable Policy | Yes | Users in this role | No | Users in this role | No | No | No | No |
Compliance | ||||||||
Compliance Dashboard | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Create / Edit Reports | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Download Reports | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Delete Reports | All accounts | Designated accounts | No | Designated accounts | No | No | Users in this role | No |
Create / Edit / Delete Compliance Standards | Yes | No | No | No | No | No | No | No |
View Compliance Standards | Yes | Yes | No | Yes | No | No | Yes | No |
Save Compliance Filter(s) | All accounts | Designated accounts | No | Designated accounts | No | No | Designated Accounts | No |
Delete Compliance Filter(s) | Yes | Users in this role | No | Users in this role | No | No | Users in this role | No |
Alerts | ||||||||
View / Search Alerts | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Dismiss / Resolve / Snooze Alerts | All accounts | Designated accounts | No | Designated accounts | No | No | No | No |
Save Alert Filter(s) | All accounts | Designated accounts | No | Designated accounts | No | No | Designated Accounts | No |
Delete Alert Filter(s) | Yes | Users in this role | No | Users in this role | No | No | Users in this role | No |
Create Report | All accounts | Designated accounts | No | Designated accounts | No | No | Designated Accounts | No |
Download Reports | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Delete Reports | All accounts | Designated accounts | No | Designated accounts | No | No | Designated Accounts | No |
View Alert Rules | All accounts | Designated accounts | No | Designated accounts | No | No | Designated accounts | No |
Create / Edit / Delete / Disable Alert Rules | All accounts | Designated accounts | No | Designated accounts | No | No | No | No |
View Notification Templates | Yes | Yes | No | Yes | No | No | Yes | No |
Create / Edit / Delete Notification Templates | Yes | No | No | Yes | No | No | No | No |
Compute | Yes | Yes - Auditor | Yes - Defender Manager | Yes - Auditor | Yes - DevOps | No Access to the APIs for running IDE, SCM, and
CI plugins for IaC and Vuln scanning | Yes- DevSecOps User | No |
Radar | Yes | Yes read-only access to data relevant to the account in account group | No | Yes read-only access to data relevant to account in account group | No | No | Yes | No |
Defend | Yes | Yes read-only access to all data | No | Yes read-only access to all data | Defend Vulnerabilities/Compliance | No | Defend Vulnerabilities/Compliance | No |
Monitor | Yes | Yes read-only access to data relevant to account in account group | No | Yes read-only access to data relevant to account in account group | Monitor Vulnerabilities/Compliance but only
CI tab under Images/Functions | No | Yes | No |
Manage | Yes | View All Logs, Defenders - Manage deployed
to account group, Alerts - View, Collections and Tags - Read Only, Authentication
- Read Only, System Utilities, such as the Jenkins Plugin and twistcli, path
to console, and API token | Defenders - Manage current defenders and deploy new ones, Authentication
- view user certificates, System Utilities, such as the Jenkins Plugin and twistcli, path
to console, and API token | View All Logs, Defenders - Manage deployed
to account group, Alerts - View, Collections and Tags - Read Only, Authentication
- Read Only, System Utilities, such as the Jenkins Plugin and twistcli, path
to console, and API token | System - Download Utilities, such as the Jenkins Plugin and twistcli, path
to console, and API token | No | System Utilities, such as the Jenkins Plugin and twistcli, path
to console, and API token | No |
Code Security | ||||||||
View Scan Results | All repositories | All repositories | No | Designated repositories | No | No | Designated repositories | Designated Repositories |
Suppress and Submit Changes to repositories | All repositories | All repositories | No | Designated repositories | No | No | No | No |
Fix and Submit Changes to repositories | All repositories | All repositories | No | Designated repositories | No | No | No | Yes |
View/Edit Filters | All repositories | All repositories | No | No | No | No | Designated repositories | Designated Repositories |
View Resource Details and Resource History | All repositories | All repositories | No | No | No | No | Designated repositories | Designated Repositories |
View Open in Git | All repositories | All repositories | No | No | No | No | Designated repositories | Designated Repositories |
View Merge PR | All repositories | Designated repositories | No | No | No | No | Designated repositories | Designated Repositories |
Settings | ||||||||
View Accounts | All accounts | Designated accounts | Designated accounts | Designated accounts | No | No | Designated accounts | No |
View Account Details | Yes | No | Yes | Yes | No | No | No | No |
Create / Edit / Delete / Disable Accounts | Yes | No | Yes | Yes | No | No | No | No |
View Account Groups | All accounts | Designated accounts | Designated accounts | Designated accounts | No | No | Designated accounts | No |
Create / Edit / Delete Account Groups | Yes | No | Yes | Yes | No | No | No | No |
Create / View / Edit / Delete User Roles | Yes | Read-only access to view the roles assigned for
self | Read-only access to view the roles assigned for
self | Read-only access to view the roles assigned for
self | Read-only access to view the roles assigned for
self | Read-only access to view the roles assigned for
self | Read-only access to view the roles assigned for
self | Read-only access to view the roles assigned for
self |
Create / View / Edit / Delete / Disable Users | Yes | No | No | No | No | No | No | No |
Add/Activate/Deactivate/Delete Access Keys | Yes; Can manage access keys for other roles also. | Yes Can manage access keys for self | Yes Can manage access keys for self | Yes Can manage access keys for self | Yes Can manage one access key for self | Yes Can manage one access key for self | Yes Can manage one access key for self | Yes Can manage one access key for self |
Add/Update Repositories | Yes | No | No | Yes | No | No | No | No |
Delete Repositories | Yes | No | No | Designated repositories | No | No | No | No |
Edit /Update Code Security Configuration | Yes | No | No | No | No | No | No | No |
View / Edit SSO Settings | Yes | No | No | No | No | No | No | No |
Create / View / Edit / Delete / Disable Integrations | Yes | No | No | No | No | No | No | No |
View/Edit Trusted IP Addresses | Yes | No | No | No | No | No | No | No |
View Licensing Info | Yes | No | No | No | No | No | No | No |
View Prisma Cloud Audit Logs | Yes | No | No | No | No | No | No | No |
View/Edit Anomaly Settings > Alerts and Thresholds | Yes | No | No | No | No | No | No | No |
View/Edit Anomaly Settings > Anomaly Trusted List | Yes | Yes Can manage trusted list entries only
for self | No | Yes Can manage trusted list entries only
for self | No | No | No | No |
View/Edit Enterprise Settings | Yes | No | No | No | No | No | No | No |
Resource Lists | ||||||||
Create Resource List | Yes | Yes, with the exception of Compute Access Group | No | Yes, with the exception of Compute Access Group | No | No | No | No |
Update Resource List | Yes | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | No | No | Yes, Designated Resource Lists | No |
Delete Resource List | Yes | No | No | No | No | No | No | No |
View Resource Lists | Yes | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | No |
Roles that enable
Compute Access only
Compute Role Prisma Cloud Role | System Admin (Only allow compute access) System Admin
with Compute Access Only | Auditor Account Group Admin with Compute Access Only | Auditor Account and Cloud Provisioning Admin
with Compute Access Only | DevSecOps Account Group Read only
with Compute Access only |
---|---|---|---|---|
Dashboard | No | No | No | No |
Inventory | No | No | No | No |
Save Asset filter(s) | No | No | No | No |
Delete Asset Filter(s) | No | No | No | No |
Investigate | ||||
Running Queries | No | No | No | No |
Save Searches | No | No | No | No |
Edit / Delete Saved Search | No | No | No | No |
Policies | ||||
View Policy | No | No | No | No |
Create Policy | No | No | No | No |
Add/Edit CLI Remediation in Policy | No | No | No | No |
Edit / Delete / Disable Policy | No | No | No | No |
Compliance | ||||
Compliance Dashboard | No | No | No | No |
Create / Edit Reports | No | No | No | No |
Download Reports | No | No | No | No |
Delete Reports | No | No | No | No |
Create / Edit / Delete Compliance Standards | No | No | No | No |
View Compliance Standards | No | No | No | No |
Save Compliance Filter(s) | No | No | No | No |
Delete Compliance Filter(s) | No | No | No | No |
Alerts | ||||
View / Search Alerts | No | No | No | No |
Dismiss / Resolve / Snooze Alerts | No | No | No | No |
Save Alert Filter(s) | No | No | No | No |
Delete Alert Filter(s) | No | No | No | No |
Create Report | No | No | No | No |
Download Reports | No | No | No | No |
Delete Reports | No | No | No | No |
View Alert Rules | No | No | No | No |
Create / Edit / Delete / Disable Alert Rules | No | No | No | No |
View Notification Templates | No | No | No | No |
Create / Edit / Delete Notification Templates | No | No | No | No |
Compute | Yes | Yes - Auditor | Yes - Auditor | Yes- DevSecOps User |
Radar | Yes | Yes read-only access to data relevant to the account
in account group | Yes read-only access to data relevant to account
in account group | Yes |
Defend | Yes | Yes read-only access to all data | Yes read-only access to all data | No |
Monitor | Yes | Yes read-only access to data relevant to account
in account group | Yes read-only access to data relevant to account
in account group | Yes |
Manage | Yes | View All Logs, Defenders - Manage deployed to
account group, Alerts - View, Collections and Tags - Read Only, Authentication
- Read Only, System - Downloads - Jenkins Plugin and twistcli | View All Logs, Defenders - Manage deployed to
account group, Alerts - View, Collections and Tags - Read Only, Authentication
- Read Only, System - Downloads - Jenkins Plugin and twistcli, path to
console | Yes |
Settings | ||||
View Accounts | No | No | No | No |
View Account Details | No | No | No | No |
Create / Edit / Delete / Disable Accounts | No | No | No | No |
View Account Groups | No | No | No | No |
Create / Edit / Delete Account Groups | No | No | No | No |
Create / View / Edit / Delete User Roles | Read-only access to view the roles assigned
for self | Read-only access to view the roles assigned
for self | Read-only access to view the roles assigned
for self | Read-only access to view the roles assigned
for self |
Create / View / Edit / Delete / Disable Users | No | No | No | No |
Add/Activate/Deactivate/Delete Access Keys | Yes Can manage access keys for self | Yes Can manage access keys for self | Yes Can manage access keys for self | Yes Can manage access keys for self |
View / Edit SSO Settings | No | No | No | No |
Create / View / Edit / Delete / Disable Integrations | No | No | No | No |
View/Edit Trusted IP Addresses | No | No | No | No |
View Licensing Info | No | No | No | No |
View Prisma Cloud Audit Logs | No | No | No | No |
View/Edit Anomaly Settings | No | No | No | No |
View/Edit Enterprise Settings | No | No | No | No |
Resource Lists | ||||
Create Resource List | No | No | No | No |
Update Resource List | No | No | No | No |
Delete Resource List | No | No | No | No |
View Resource Lists | No | No | No | No |
Recommended For You
Recommended Videos
Recommended videos not found.