Prisma Cloud Administrator Permissions
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View and Forward Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Prisma Cloud Administrator Permissions
View a list of the access privileges associated with each Prisma Cloud role.
The following tables provides a list of the access privileges associated with each role for different parts of the Prisma Cloud administrative console.
See Prisma Cloud Administrator Roles for details on how to create roles and assign access to account groups or repositories to designate what a user is allowed to view; details on permissions for Prisma Cloud Compute Roles.
Permission Groups that Enable Access to All Areas of the Prisma Cloud Administrative Console
PRISMA CLOUD ROLE | SYSTEM ADMIN | ACCOUNT GROUP ADMIN | CLOUD PROVISIONING ADMIN | ACCOUNT AND CLOUD PROVISIONING ADMIN | BUILD AND DEPLOY SECURITY | ACCOUNT GROUP READ ONLY | DEVELOPER |
|---|---|---|---|---|---|---|---|
Dashboard | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Home | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Inventory | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Save Asset filter(s) | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
Delete Asset Filter(s) | Yes | Users in this role | No | Users in this role | No | Users in this role | No |
Investigate | |||||||
Running Queries | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Save Searches | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Edit / Delete Saved Search | Yes | Users in this role | No | Users in this role | No | Users in this role | No |
Policies | |||||||
View Policy | Yes | Yes | No | Yes | No | Yes | No |
Create Policy | Yes | Yes | No | Yes | No | No | No |
Add/Edit CLI Remediation in Policy | Yes | No | No | No | No | No | No |
Edit / Delete / Disable Policy | Yes | Users in this role | No | Users in this role | No | No | No |
Compliance | |||||||
Compliance Dashboard | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Create / Edit Reports | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Download Reports | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Delete Reports | All accounts | Designated accounts | No | Designated accounts | No | Users in this role | No |
Create / Edit / Delete Compliance Standards | Yes | No | No | No | No | No | No |
View Compliance Standards | Yes | Yes | No | Yes | No | Yes | No |
Save Compliance Filter(s) | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
Delete Compliance Filter(s) | Yes | Users in this role | No | Users in this role | No | Users in this role | No |
Adoption Advisor | |||||||
Adoption Advisor Console | Yes | No | No | No | No | No | No |
Create / Edit Reports | Yes | No | No | No | No | No | No |
Download Reports | Yes | No | No | No | No | No | No |
Delete Reports | Yes | No | No | No | No | No | No |
Alerts | |||||||
View / Search Alerts | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Dismiss / Resolve / Snooze Alerts | All accounts | Designated accounts | No | Designated accounts | No | No | No |
Save Alert Filter(s) | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
Delete Alert Filter(s) | Yes | Users in this role | No | Users in this role | No | Users in this role | No |
Create Report | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
Download Reports | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Delete Reports | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
View Alert Rules | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Create / Edit / Delete / Disable Alert Rules | All accounts | Designated accounts | No | Designated accounts | No | No | No |
View Notification Templates | Yes | Yes | No | Yes | No | Yes | No |
Create / Edit / Delete Notification Templates | Yes | No | No | Yes | No | No | No |
Compute | Yes | Yes - Auditor | Yes - Defender Manager | Yes - Auditor | Yes - DevOps
Access to the APIs for running IDE, SCM, and CI plugins for IaC and Vuln scanning | Yes- DevSecOps User | No |
Radar | Yes | Yes read-only access to data relevant to the account in account group | No | Yes read-only access to data relevant to account in account group | No | Yes | No |
Defend | Yes | Yes read-only access to all data | No | Yes read-only access to all data | Defend Vulnerabilities/Compliance | Defend Vulnerabilities/Compliance | No |
Monitor | Yes | Yes read-only access to data relevant to account in account group | No | Yes read-only access to data relevant to account in account group | Monitor Vulnerabilities/Compliance but only CI tab under Images/Functions | Yes | No |
Manage | Yes | View All Logs, Defenders - Manage deployed to account group, Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | Defenders - Manage current defenders and deploy new ones, Authentication - view user certificates, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | View All Logs, Defenders - Manage deployed to account group, Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | System - Download Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | No |
Application Security | |||||||
View Scan Results in Projects, Development Pipelines, and Supply Chain Graph | All repositories | Designated repositories | No | Designated repositories | No | Designated repositories | Designated Repositories |
Suppress and Submit Changes to repositories | All repositories | Designated repositories | No | Designated repositories | No | No | No |
Fix and Submit Changes to repositories | All repositories | Designated repositories | No | Designated repositories | No | No | Yes |
View/Edit Filters | All repositories | Designated repositories | No | No | No | Designated repositories | Designated Repositories |
View Resource Details and Resource History | All repositories | Designated repositories | No | No | No | Designated repositories | Designated Repositories |
View Open in Git | All repositories | Designated repositories | No | No | No | Designated repositories | Designated Repositories |
View Merge PR | All repositories | Designated repositories | No | No | No | Designated repositories | Designated Repositories |
Development PipelinesProjects and Code Reviews | All repositories | Designated repositories | Designated repositories | Designated repositories | No | NoDesignated repositories for Code Reviews | NoDesignated repositories for Code Reviews |
EnforcementView and Add Exceptions | All repositories | All repositories | All repositories | Designated repositories | All repositories | All repositories | Designated repositories |
Edit Enforcement | All repositories | All repositories | All repositories | Designated repositories | No | No | No |
Supply Chain | All repositories | All repositories | All repositories | Designated repositories | No | No | Designated repositories |
Settings | |||||||
View Accounts | All accounts | Designated accounts | Designated accounts | Designated accounts | No | Designated accounts | No |
View Account Details | Yes | No | Yes | Yes | No | No | No |
Create / Edit / Delete / Disable Accounts | Yes | No | Yes | Yes | No | No | No |
View Account Groups | All accounts | Designated accounts | Designated accounts | Designated accounts | No | Designated accounts | No |
Create / Edit / Delete Account Groups | Yes | No | Yes | Yes | No | No | No |
Create / View / Edit / Delete User Roles | Yes | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self |
Create / View / Edit / Delete / Disable Users | Yes | No | No | No | No | No | No |
Add/Activate/Deactivate/Delete Access Keys | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
View Repositories | Yes | Designated Repositories | No | Designated Repositories | No | Designated Repositories | Designated Repositories |
Add/Update Repositories | Yes | No | No | Yes | No | No | No |
Delete Repositories | Yes | No | No | Designated repositories | No | No | No |
Edit /Update Application Security Configuration | Yes | No | No | No | No | No | No |
View / Edit SSO Settings | Yes | No | No | No | No | No | No |
Create / View / Edit / Delete / Disable Integrations | Yes | No | No | No | No | No | No |
View/Edit Trusted IP Addresses | Yes | No | No | No | No | No | No |
View License Information and Credit Allocation | Yes | No | No | No | No | No | No |
View Prisma Cloud Audit Logs | Yes | No | No | No | No | No | No |
View/Edit Anomaly Settings > Alerts and Thresholds | Yes | No | No | No | No | No | No |
View/Edit Anomaly Settings > Anomaly Trusted List | Yes | Yes, can manage trusted list entries only for self | No | Yes, can manage trusted list entries only for self | No | No | No |
View/Edit Enterprise Settings | Yes | No | No | No | No | No | No |
Alarm Center | Yes | Yes | No | No | No | No | No |
Resource Lists | |||||||
Create Resource List | Yes | Yes, with the exception of Compute Access Group | No | Yes, with the exception of Compute Access Group | No | No | No |
Update Resource List | Yes | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | No |
Delete Resource List | Yes | No | No | No | No | No | No |
View Resource Lists | Yes | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | Yes, Designated Resource Lists | Yes, Designated Resource Lists | No |
Permission Groups that Enable Compute Access Only
PRISMA CLOUD ROLE | SYSTEM ADMIN WITH COMPUTE ACCESS ONLY | ACCOUNT GROUP ADMIN WITH COMPUTE ACCESS ONLY | ACCOUNT AND CLOUD PROVISIONING ADMIN WITH COMPUTE ACCESS ONLY | ACCOUNT GROUP READ ONLY WITH COMPUTE ACCESS ONLY |
|---|---|---|---|---|
Dashboard | No | No | No | No |
Home | Yes | Yes | Yes | Yes |
Inventory | No | No | No | No |
Save Asset filter(s) | No | No | No | No |
Delete Asset Filter(s) | No | No | No | No |
Investigate | No | No | No | No |
Policies | No | No | No | No |
Compliance | No | No | No | No |
Alerts | No | No | No | No |
Compute | Yes | Yes | Yes | Yes |
Radar | Yes | Yes read-only access to data relevant to the account in account group | Yes read-only access to data relevant to account in account group | Yes |
Defend | Yes | Yes read-only access to all data | Yes read-only access to all data | No |
Monitor | Yes | Yes read-only access to data relevant to account in account group | Yes read-only access to data relevant to account in account group | Yes |
Manage | Yes | View All Logs, Defenders - Manage deployed to account group,
Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System - Downloads - Jenkins Plugin and twistcli | View All Logs, Defenders - Manage deployed to account group,
Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System - Downloads - Jenkins Plugin and twistcli | Yes |
Application Security | No | No | No | No |
Settings | ||||
Create / View / Edit / Delete User Roles | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self |
Add/Activate/Deactivate/Delete Access Keys | Yes
Can manage access keys for self | Yes Can manage access keys for self | Yes Can manage access keys for self | Yes Can manage access keys for self |
Resource Lists | No | No | No | No |
Alarm Center | No | No | No | No |