: MSP Account Roles and Permissions
Focus
Focus

MSP Account Roles and Permissions

Table of Contents

MSP Account Roles and Permissions

MSP Account Roles and Permissions
Role-based access control and authentication is supported for all operations performed by the MSPs. The MSP tenant, though subservient to the
Prisma SD-WAN
tenant, acts as a super-tenant to all the client tenants under its control.
Typically, MSP accounts are regular user accounts with additional set of roles, and Single Sign-On (SSO) access through an enterprise Identity Provider (IdP). A group name within an IdP system may be mapped to the same name to create a custom role. The MSP roles and their responsibilities can be classified as:
MSP Role
Permissions
MSP Root (esp_root)
A single root user who has complete control over all aspects of the MSP account. A root user is intended to be a fail-safe, fallback user account and should not be used for regular day-to-day access, administration, and management.
MSP Super (esp_super)
A super administrator with privileges to manage other user accounts within the provider account. Optionally, this administrator manages and administers other customer networks.
Identity and Access Management (IAM) Administrator (esp_iam_admin)
An IAM administrator with privileges to manage other user accounts within the MSP account.
ESP Machine Admin (esp_machine_admin)
An administrator with privileges to manage machine (ION device) allocation and deallocation to child tenants.
MSP User (esp_user)
A user with privileges to manage and administer other customer networks after an administrator has assigned the user to a customer account.
In a MSP account, you may view, manage, or administer other client networks and accounts, if:
  • The client and the provider authorize the client account for management by the provider. This authorization takes place through
    Prisma SD-WAN
    customer support for security and tracking.
  • Specific users of a provider account are assigned to manage specific, approved client accounts for that provider. This is handled by the users of a provider account who have super administrator or administrator privileges.

Recommended For You