Custom Roles
You can build custom roles by combining
existing system roles and permissions in different ways. You can
create them by assembling a set of system permissions or by adding
or removing permissions from system roles.
An
IAM administrator
or a
Super Administrator
creates,
updates, and deletes custom roles for an enterprise, or assigns
system and custom roles to an end user. However,
Super Administrator
or
IAM
administrator
cannot delete a custom role in use.
As an administrator, you can view all the permissions and system
roles in the system on the Prisma SD-WAN web interface. You can
associate custom roles with multiple system roles, multiple system
permissions, or multiple system permissions and disallowed system
permissions. However, you cannot create a custom role with Root
as the base system role.
Construct custom roles by selecting and assembling:
A set of system permissions.
A set of system roles and system permissions.
A set of system roles and disallowed system permissions.
A set of system roles, system permissions, and disallowed
system permissions.
If a custom role includes more than one system permission, then
additional permissions become a part of the overall set of permissions,
even if independently specified at different times and a disallowed
permission overrides an allowed permission included through system
roles or through explicit means.