Prisma Cloud Administrator Permissions
View a list of the access privileges associated with each Prisma Cloud role
The following tables provides a list of the access privileges associated with each role for different parts of the Prisma Cloud administrative console.
See Prisma Cloud Administrator Roles for details on how to create roles and assign access to account groups or repositories to designate what a user is allowed to view; details on permissions for Prisma Cloud Compute roles.
Roles that Enable Access to All Areas of the Prisma Cloud Administrative Console
PRISMA CLOUD ROLE | SYSTEM ADMIN | ACCOUNT GROUP ADMIN | CLOUD PROVISIONING ADMIN | ACCOUNT AND CLOUD PROVISIONING ADMIN | BUILD AND DEPLOY SECURITY | ACCOUNT GROUP READ ONLY | DEVELOPER |
---|---|---|---|---|---|---|---|
Dashboard | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Home | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Inventory | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Save Asset filter(s) | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
Delete Asset Filter(s) | Yes | Users in this role | No | Users in this role | No | Users in this role | No |
Investigate | |||||||
Running Queries | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Save Searches | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Edit / Delete Saved Search | Yes | Users in this role | No | Users in this role | No | Users in this role | No |
Policies | |||||||
View Policy | Yes | Yes | No | Yes | No | Yes | No |
Create Policy | Yes | Yes | No | Yes | No | No | No |
Add/Edit CLI Remediation in Policy | Yes | No | No | No | No | No | No |
Edit / Delete / Disable Policy | Yes | Users in this role | No | Users in this role | No | No | No |
Compliance | |||||||
Compliance Dashboard | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Create / Edit Reports | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Download Reports | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Delete Reports | All accounts | Designated accounts | No | Designated accounts | No | Users in this role | No |
Create / Edit / Delete Compliance Standards | Yes | No | No | No | No | No | No |
View Compliance Standards | Yes | Yes | No | Yes | No | Yes | No |
Save Compliance Filter(s) | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
Delete Compliance Filter(s) | Yes | Users in this role | No | Users in this role | No | Users in this role | No |
Adoption Advisor | |||||||
Adoption Advisor Console | Yes | No | No | No | No | No | No |
Create / Edit Reports | Yes | No | No | No | No | No | No |
Download Reports | Yes | No | No | No | No | No | No |
Delete Reports | Yes | No | No | No | No | No | No |
Alerts | |||||||
View / Search Alerts | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Dismiss / Resolve / Snooze Alerts | All accounts | Designated accounts | No | Designated accounts | No | No | No |
Save Alert Filter(s) | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
Delete Alert Filter(s) | Yes | Users in this role | No | Users in this role | No | Users in this role | No |
Create Report | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
Download Reports | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Delete Reports | All accounts | Designated accounts | No | Designated accounts | No | Designated Accounts | No |
View Alert Rules | All accounts | Designated accounts | No | Designated accounts | No | Designated accounts | No |
Create / Edit / Delete / Disable Alert Rules | All accounts | Designated accounts | No | Designated accounts | No | No | No |
View Notification Templates | Yes | Yes | No | Yes | No | Yes | No |
Create / Edit / Delete Notification Templates | Yes | No | No | Yes | No | No | No |
Compute | Yes | Yes - Auditor | Yes - Defender Manager | Yes - Auditor | Yes - DevOps
Access to the APIs for running IDE, SCM, and CI plugins for IaC and Vuln scanning | Yes- DevSecOps User | No |
Radar | Yes | Yes read-only access to data relevant to the account in account group | No | Yes read-only access to data relevant to account in account group | No | Yes | No |
Defend | Yes | Yes read-only access to all data | No | Yes read-only access to all data | Defend Vulnerabilities/Compliance | Defend Vulnerabilities/Compliance | No |
Monitor | Yes | Yes read-only access to data relevant to account in account group | No | Yes read-only access to data relevant to account in account group | Monitor Vulnerabilities/Compliance but only CI tab under Images/Functions | Yes | No |
Manage | Yes | View All Logs, Defenders - Manage deployed to account group, Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | Defenders - Manage current defenders and deploy new ones, Authentication - view user certificates, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | View All Logs, Defenders - Manage deployed to account group, Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | System - Download Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | System Utilities, such as the Jenkins Plugin and twistcli, path to console, and API token | No |
Code Security | |||||||
View Scan Results in Projects, Development Pipelines, and Supply Chain Graph | All repositories | Designated repositories | No | Designated repositories | No | Designated repositories | Designated Repositories |
Suppress and Submit Changes to repositories | All repositories | Designated repositories | No | Designated repositories | No | No | No |
Fix and Submit Changes to repositories | All repositories | Designated repositories | No | Designated repositories | No | No | Yes |
View/Edit Filters | All repositories | Designated repositories | No | No | No | Designated repositories | Designated Repositories |
View Resource Details and Resource History | All repositories | Designated repositories | No | No | No | Designated repositories | Designated Repositories |
View Open in Git | All repositories | Designated repositories | No | No | No | Designated repositories | Designated Repositories |
View Merge PR | All repositories | Designated repositories | No | No | No | Designated repositories | Designated Repositories |
Development PipelinesProjects and Code Reviews | All repositories | Designated repositories | Designated repositories | Designated repositories | No | NoDesignated repositories for Code Reviews | NoDesignated repositories for Code Reviews |
EnforcementView and Add Exceptions | All repositories | All repositories | All repositories | Designated repositories | All repositories | All repositories | Designated repositories |
Edit Enforcement | All repositories | All repositories | All repositories | Designated repositories | No | No | No |
Supply Chain | All repositories | All repositories | All repositories | Designated repositories | No | No | Designated repositories |
Settings | |||||||
View Accounts | All accounts | Designated accounts | Designated accounts | Designated accounts | No | Designated accounts | No |
View Account Details | Yes | No | Yes | Yes | No | No | No |
Create / Edit / Delete / Disable Accounts | Yes | No | Yes | Yes | No | No | No |
View Account Groups | All accounts | Designated accounts | Designated accounts | Designated accounts | No | Designated accounts | No |
Create / Edit / Delete Account Groups | Yes | No | Yes | Yes | No | No | No |
Create / View / Edit / Delete User Roles | Yes | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self |
Create / View / Edit / Delete / Disable Users | Yes | No | No | No | No | No | No |
Add/Activate/Deactivate/Delete Access Keys | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
View Repositories | Yes | Designated Repositories | No | Designated Repositories | No | Designated Repositories | Designated Repositories |
Add/Update Repositories | Yes | No | No | Yes | No | No | No |
Delete Repositories | Yes | No | No | Designated repositories | No | No | No |
Edit /Update Code Security Configuration | Yes | No | No | No | No | No | No |
View / Edit SSO Settings | Yes | No | No | No | No | No | No |
Create / View / Edit / Delete / Disable Integrations | Yes | No | No | No | No | No | No |
View/Edit Trusted IP Addresses | Yes | No | No | No | No | No | No |
View License Information and Credit Allocation | Yes | No | No | No | No | No | No |
View Prisma Cloud Audit Logs | Yes | No | No | No | No | No | No |
View/Edit Anomaly Settings > Alerts and Thresholds | Yes | No | No | No | No | No | No |
View/Edit Anomaly Settings > Anomaly Trusted List | Yes | Yes, can manage trusted list entries only for self | No | Yes, can manage trusted list entries only for self | No | No | No |
View/Edit Enterprise Settings | Yes | No | No | No | No | No | No |
Alarm Center | Yes | Yes | No | No | No | No | No |
Resource Lists | |||||||
Create Resource List | Yes | Yes, with the exception of Compute Access Group | No | Yes, with the exception of Compute Access Group | No | No | No |
Update Resource List | Yes | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | No |
Delete Resource List | Yes | No | No | No | No | No | No |
View Resource Lists | Yes | Yes, Designated Resource Lists | No | Yes, Designated Resource Lists | Yes, Designated Resource Lists | Yes, Designated Resource Lists | No |
Roles that Enable Compute Access Only
PRISMA CLOUD ROLE | SYSTEM ADMIN WITH COMPUTE ACCESS ONLY | ACCOUNT GROUP ADMIN WITH COMPUTE ACCESS ONLY | ACCOUNT AND CLOUD PROVISIONING ADMIN WITH COMPUTE ACCESS ONLY | ACCOUNT GROUP READ ONLY WITH COMPUTE ACCESS ONLY |
---|---|---|---|---|
Dashboard | No | No | No | No |
Home | Yes | Yes | Yes | Yes |
Inventory | No | No | No | No |
Save Asset filter(s) | No | No | No | No |
Delete Asset Filter(s) | No | No | No | No |
Investigate | No | No | No | No |
Policies | No | No | No | No |
Compliance | No | No | No | No |
Alerts | No | No | No | No |
Compute | Yes | Yes | Yes | Yes |
Radar | Yes | Yes read-only access to data relevant to the account in account group | Yes read-only access to data relevant to account in account group | Yes |
Defend | Yes | Yes read-only access to all data | Yes read-only access to all data | No |
Monitor | Yes | Yes read-only access to data relevant to account in account group | Yes read-only access to data relevant to account in account group | Yes |
Manage | Yes | View All Logs, Defenders - Manage deployed to account group,
Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System - Downloads - Jenkins Plugin and twistcli | View All Logs, Defenders - Manage deployed to account group,
Alerts - View, Collections and Tags - Read Only, Authentication - Read Only, System - Downloads - Jenkins Plugin and twistcli | Yes |
Code Security | No | No | No | No |
Settings | ||||
Create / View / Edit / Delete User Roles | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self | Read-only access to view the roles assigned for self |
Add/Activate/Deactivate/Delete Access Keys | Yes
Can manage access keys for self | Yes Can manage access keys for self | Yes Can manage access keys for self | Yes Can manage access keys for self |
Resource Lists | No | No | No | No |
Alarm Center | No | No | No | No |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.