Document:Prisma™ Cloud Administrator's Guide

Prisma Cloud Administrator Permissions

Filter

Prisma Cloud Administrator Permissions

View a list of the access privileges associated with each Prisma Cloud role

The following tables provides a list of the access privileges associated with each role for different parts of the Prisma Cloud administrative console.

Roles that Enable Access to All Areas of the Prisma Cloud Administrative Console

Roles that Enable Compute Access Only

See Prisma Cloud Administrator Roles for details on how to create roles and assign access to account groups or repositories to designate what a user is allowed to view; details on permissions for Prisma Cloud Compute roles.

Roles that Enable Access to All Areas of the Prisma Cloud Administrative Console

PRISMA CLOUD ROLE	SYSTEM ADMIN	ACCOUNT GROUP ADMIN	CLOUD PROVISIONING ADMIN	ACCOUNT AND CLOUD PROVISIONING ADMIN	BUILD AND DEPLOY SECURITY	BUILD AND DEPLOY SECURITY	ACCOUNT GROUP READ ONLY	DEVELOPER
Dashboard	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Inventory	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Save Asset filter(s)	All accounts	Designated accounts	No	Designated accounts	No	No	Designated Accounts	No
Delete Asset Filter(s)	Yes	Users in this role	No	Users in this role	No	No	Users in this role	No
Investigate
Running Queries	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Save Searches	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Edit / Delete Saved Search	Yes	Users in this role	No	Users in this role	No	No	Users in this role	No
Policies
View Policy	Yes	Yes	No	Yes	No	No	Yes	No
Create Policy	Yes	Yes	No	Yes	No	No	No	No
Add/Edit CLI Remediation in Policy	Yes	No	No	No	No	No	No	No
Edit / Delete / Disable Policy	Yes	Users in this role	No	Users in this role	No	No	No	No
Compliance
Compliance Dashboard	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Create / Edit Reports	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Download Reports	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Delete Reports	All accounts	Designated accounts	No	Designated accounts	No	No	Users in this role	No
Create / Edit / Delete Compliance Standards	Yes	No	No	No	No	No	No	No
View Compliance Standards	Yes	Yes	No	Yes	No	No	Yes	No
Save Compliance Filter(s)	All accounts	Designated accounts	No	Designated accounts	No	No	Designated Accounts	No
Delete Compliance Filter(s)	Yes	Users in this role	No	Users in this role	No	No	Users in this role	No
Adoption Advisor
Adoption Advisor Console	Yes	No	No	No	No	No	No	No
Create / Edit Reports	Yes	No	No	No	No	No	No	No
Download Reports	Yes	No	No	No	No	No	No	No
Delete Reports	Yes	No	No	No	No	No	No	No
Alerts
View / Search Alerts	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Dismiss / Resolve / Snooze Alerts	All accounts	Designated accounts	No	Designated accounts	No	No	No	No
Save Alert Filter(s)	All accounts	Designated accounts	No	Designated accounts	No	No	Designated Accounts	No
Delete Alert Filter(s)	Yes	Users in this role	No	Users in this role	No	No	Users in this role	No
Create Report	All accounts	Designated accounts	No	Designated accounts	No	No	Designated Accounts	No
Download Reports	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Delete Reports	All accounts	Designated accounts	No	Designated accounts	No	No	Designated Accounts	No
View Alert Rules	All accounts	Designated accounts	No	Designated accounts	No	No	Designated accounts	No
Create / Edit / Delete / Disable Alert Rules	All accounts	Designated accounts	No	Designated accounts	No	No	No	No
View Notification Templates	Yes	Yes	No	Yes	No	No	Yes	No
Create / Edit / Delete Notification Templates	Yes	No	No	Yes	No	No	No	No
Compute	Yes	Yes - Auditor	Yes - Defender Manager	Yes - Auditor	Yes - DevOps	No Access to the APIs for running IDE, SCM, and CI plugins for IaC and Vuln scanning	Yes- DevSecOps User	No
Radar	Yes	Yes read-only access to data relevant to the account in account group	No	Yes read-only access to data relevant to account in account group	No	No	Yes	No
Defend	Yes	Yes read-only access to all data	No	Yes read-only access to all data	Defend Vulnerabilities/Compliance	No	Defend Vulnerabilities/Compliance	No
Monitor	Yes	Yes read-only access to data relevant to account in account group	No	Yes read-only access to data relevant to account in account group	Monitor Vulnerabilities/Compliance but only CI tab under Images/Functions	No	Yes	No
Manage	Yes	View All Logs, Defenders - Manage deployed to account group, Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token	Defenders - Manage current defenders and deploy new ones, Authentication - view user certificates, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token	View All Logs, Defenders - Manage deployed to account group, Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token	System - Download Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token	No	System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token	No
Code Security
View Scan Results in Projects, Development Pipelines, and Supply Chain Graph	All repositories	Designated repositories	No	Designated repositories	No	No	Designated repositories	Designated Repositories
Suppress and Submit Changes to repositories	All repositories	Designated repositories	No	Designated repositories	No	No	No	No
Fix and Submit Changes to repositories	All repositories	Designated repositories	No	Designated repositories	No	No	No	Yes
View/Edit Filters	All repositories	Designated repositories	No	No	No	No	Designated repositories	Designated Repositories
View Resource Details and Resource History	All repositories	Designated repositories	No	No	No	No	Designated repositories	Designated Repositories
View Open in Git	All repositories	Designated repositories	No	No	No	No	Designated repositories	Designated Repositories
View Merge PR	All repositories	Designated repositories	No	No	No	No	Designated repositories	Designated Repositories
Development PipelinesProjects and Code Reviews	All repositories	Designated repositories	Designated repositories	Designated repositories	No	No	NoDesignated repositories for Code Reviews	NoDesignated repositories for Code Reviews
EnforcementView and Add Exceptions	All repositories	All repositories	All repositories	Designated repositories	All repositories	All repositories	All repositories	Designated repositories
Edit Enforcement	All repositories	All repositories	All repositories	Designated repositories	No	No	No	No
Supply Chain	All repositories	All repositories	All repositories	Designated repositories	No	No	No	Designated repositories
Settings
View Accounts	All accounts	Designated accounts	Designated accounts	Designated accounts	No	No	Designated accounts	No
View Account Details	Yes	No	Yes	Yes	No	No	No	No
Create / Edit / Delete / Disable Accounts	Yes	No	Yes	Yes	No	No	No	No
View Account Groups	All accounts	Designated accounts	Designated accounts	Designated accounts	No	No	Designated accounts	No
Create / Edit / Delete Account Groups	Yes	No	Yes	Yes	No	No	No	No
Create / View / Edit / Delete User Roles	Yes	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self
Create / View / Edit / Delete / Disable Users	Yes	No	No	No	No	No	No	No
Add/Activate/Deactivate/Delete Access Keys	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
View Repositories	Yes	Designated Repositories	No	Designated Repositories	No	No	Designated Repositories	Designated Repositories
Add/Update Repositories	Yes	No	No	Yes	No	No	No	No
Delete Repositories	Yes	No	No	Designated repositories	No	No	No	No
Edit /Update Code Security Configuration	Yes	No	No	No	No	No	No	No
View / Edit SSO Settings	Yes	No	No	No	No	No	No	No
Create / View / Edit / Delete / Disable Integrations	Yes	No	No	No	No	No	No	No
View/Edit Trusted IP Addresses	Yes	No	No	No	No	No	No	No
View Licensing Info	Yes	No	No	No	No	No	No	No
View Prisma Cloud Audit Logs	Yes	No	No	No	No	No	No	No
View/Edit Anomaly Settings > Alerts and Thresholds	Yes	No	No	No	No	No	No	No
View/Edit Anomaly Settings > Anomaly Trusted List	Yes	Yes, can manage trusted list entries only for self	No	Yes, can manage trusted list entries only for self	No	No	No	No
View/Edit Enterprise Settings	Yes	No	No	No	No	No	No	No
Resource Lists
Create Resource List	Yes	Yes, with the exception of Compute Access Group	No	Yes, with the exception of Compute Access Group	No	No	No	No
Update Resource List	Yes	Yes, Designated Resource Lists	No	Yes, Designated Resource Lists	No	No	Yes, Designated Resource Lists	No
Delete Resource List	Yes	No	No	No	No	No	No	No
View Resource Lists	Yes	Yes, Designated Resource Lists	No	Yes, Designated Resource Lists	Yes, Designated Resource Lists	No	Yes, Designated Resource Lists	No

Roles that Enable Compute Access Only

PRISMA CLOUD ROLE	SYSTEM ADMIN WITH COMPUTE ACCESS ONLY	ACCOUNT GROUP ADMIN WITH COMPUTE ACCESS ONLY	ACCOUNT AND CLOUD PROVISIONING ADMIN WITH COMPUTE ACCESS ONLY	ACCOUNT GROUP READ ONLY WITH COMPUTE ACCESS ONLY
Dashboard	No	No	No	No
Inventory	No	No	No	No
Save Asset filter(s)	No	No	No	No
Delete Asset Filter(s)	No	No	No	No
Investigate	No	No	No	No
Policies	No	No	No	No
Compliance	No	No	No	No
Alerts	No	No	No	No
Compute	Yes	Yes	Yes	Yes
Radar	Yes	Yes read-only access to data relevant to the account in account group	Yes read-only access to data relevant to account in account group	Yes
Defend	Yes	Yes read-only access to all data	Yes read-only access to all data	No
Monitor	Yes	Yes read-only access to data relevant to account in account group	Yes read-only access to data relevant to account in account group	Yes
Manage	Yes	View All Logs, Defenders - Manage deployed to account group, Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System - Downloads - Jenkins Plugin and twistcli	View All Logs, Defenders - Manage deployed to account group, Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System - Downloads - Jenkins Plugin and twistcli	Yes
Code Security	No	No	No	No
Settings
Create / View / Edit / Delete User Roles	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self	Read-only access to view the roles assigned for self

Add/Activate/Deactivate/Delete Access Keys	Yes Can manage access keys for self	Yes Can manage access keys for self	Yes Can manage access keys for self	Yes Can manage access keys for self
Resource Lists	No	No	No	No

Document:Prisma™ Cloud Administrator's Guide

Prisma Cloud Administrator Permissions

Table of Contents

Prisma Cloud Administrator Permissions

Roles that Enable Access to All Areas of the Prisma Cloud Administrative Console

Roles that Enable Compute Access Only

Most Popular

Recommended For You

Document:Prisma™ Cloud Administrator's Guide

Prisma Cloud Administrator Permissions

Table of Contents

Prisma Cloud Administrator Permissions

Roles that Enable Access to All Areas of the Prisma Cloud Administrative Console

Roles that Enable Compute Access Only

Most Popular

Recommended For You

Recommended Videos