Prisma Cloud Administrator Roles
Prisma Cloud roles define the type of access that an administrative user has.
A user on Prisma Cloud is someone who has been assigned administrative privileges, and a role defines the type of access that the administrator has on the service. When you define a role, you specify the permission group and the account groups or repositories that the administrator can manage or view. Prisma Cloud has the following permission groups built-in for administrators.
- System Admin—Full control (read/write permissions) to the service, and they can create, edit, or delete account groups or cloud accounts. Only System administrators have access to allSettingson Prisma Cloud and can view audit logs to analyze actions performed by other users who have been assigned administrative privileges.If you use the System Admin role withOnly for Compute capabilitiesenabled, the administrator only has full control (read/write permissions) to theComputetab and APIs on Prisma Cloud, and does not have access to the rest of Prisma Cloud capabilities.
- Account Group Admin—Read/write permissions for the cloud accounts and account groups to which they are granted access.An account group administrator can only view resources deployed within the cloud accounts to which they have access. Resources deployed on other cloud accounts that Prisma Cloud monitors are excluded from the search or investigation results.
- Account Group Read Only—Read only permissions to view designated sections of Prisma Cloud. This role does not have permissions to modify any settings.
- Account and Cloud Provisioning Admin—Combines the permissions for theAccount Group Adminand theCloud Provisioning Adminto enable an administrator who is responsible for a line of business. With this role, in addition to being able to onboard cloud accounts, the administrator can access the dashboard, manage the security policies, investigate issues, view alerts and compliance details for the designated accounts only.
- Cloud Provisioning Admin—Permissions to onboard and manage cloud accounts from Prisma Cloud and the APIs, and the ability to create and manage the account groups. With this role access is limited toandSettingsCloud Accountson the admin console.SettingsAccount Groups
- Build and Deploy Security—Restricted permissions to DevOps users who need access to a subset ofComputecapabilities and/or API access to run IDE, SCM and CI/CD plugins for Infrastructure as Code and image vulnerabilities scans. For example, the Build and Deploy Security role enables read-only permissions to review vulnerability and compliance scan reports onComputeand to manage and download utilities such as Defender images, plugins and twistcli.And if you use the Build and Deploy Security role withAccess key onlyenabled, the administrator can create one access key to use the Prisma Cloud Compute APIs.See Prisma Cloud Compute Roles for more details for the roles and associated permissions.
- Developer—Restricted permissions to developers or DevOps users who need access to a subset ofCode Securitycapabilities. With the exception of generating access keys, and viewing and fixing issues in IaC scan results onCode Security, it enables read-only permissions to view/update repository settings to which they have access, and view code security configuration.
Add Administrative Users On Prisma Cloud. You can .
View permissions
associated with each role on Settings
Roles
+Add New
You can also create custom Permission Groups to define least-privileged access to Prisma Cloud. This ensures that users only have the limited permissions required to accomplish the tasks aligned with their job responsibilities. For instance, you use custom Permission Groups to allow users to only view and export Prisma Cloud Audit Logs into a third-party system. Learn how to Create Custom Prisma Cloud Roles with granular role based access permissions.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
