Prisma Cloud roles define the type of access that an
administrative user has.
on Prisma Cloud is someone
who has been assigned administrative privileges, and a
the type of access that the administrator has on the service. When
you define a role, you specify the
account groups that the administrator can manage. Prisma Cloud has
the following permission groups built-in for administrators.
—Full control (read/write permissions) to
the service, and they can create, edit, or delete account groups
or cloud accounts. Only System administrators have access to all
Prisma Cloud and can view audit logs to analyze actions performed
by other users who have been assigned administrative privileges.
you use the System Admin role with
Only for Compute capabilities
the administrator only has full control (read/write permissions)
tab and APIs on Prisma Cloud, and
does not have access to the rest of Prisma Cloud capabilities.
Account Group Admin
—Read/write permissions for the cloud
accounts and account groups to which they are granted access.
account group administrator can only view resources deployed within
the cloud accounts to which they have access. Resources deployed
on other cloud accounts that Prisma Cloud monitors are excluded
from the search or investigation results.
Account Group Read Only
—Read only permissions to view designated
sections of Prisma Cloud. This role does not have permissions to
modify any settings.
Account and Cloud Provisioning Admin
—Combines the permissions
Account Group Admin
to enable an administrator who is responsible for a line
of business. With this role, in addition to being able to onboard
cloud accounts, the administrator can access the dashboard, manage
the security policies, investigate issues, view alerts and compliance
details for the designated accounts only.
Cloud Provisioning Admin
—Permissions to onboard and manage
cloud accounts from Prisma Cloud and the APIs, and the ability to
create and manage the account groups. With this role access is limited
the admin console.
Build and Deploy Security
—Restricted permissions to DevOps
users who need access to a subset of
and/or API access to run IDE, SCM and CI/CD plugins for Infrastructure
as Code and image vulnerabilities scans. For example, the Build
and Deploy Security role enables read-only permissions to review
vulnerability and compliance scan reports on
to manage and download utilities such as Defender images, plugins
And if you use the Build and Deploy Security
Access key only
enabled, the administrator
can create one access key to
use the Prisma Cloud Compute APIs.