You can build custom roles by combining existing system roles and permissions in different ways. You can create them by assembling a set of system permissions or by adding or removing permissions from system roles.

An

IAM administrator

or a

Super Administrator

creates, updates, and deletes custom roles for an enterprise, or assigns system and custom roles to an end user. However,

Super Administrator

or

IAM administrator

cannot delete a custom role in use.

As an administrator, you can view all the permissions and system roles in the system on the Prisma SD-WAN web interface. You can associate custom roles with multiple system roles, multiple system permissions, or multiple system permissions and disallowed system permissions. However, you cannot create a custom role with Root as the base system role.

Construct custom roles by selecting and assembling:

If a custom role includes more than one system permission, then additional permissions become a part of the overall set of permissions, even if independently specified at different times and a disallowed permission overrides an allowed permission included through system roles or through explicit means.