control and authentication is supported for all operations
performed by the MSPs. The MSP tenant, though subservient to the
Prisma SD-WAN tenant, acts as a super-tenant to all the client tenants
under its control.
Typically, MSP accounts are regular user accounts
with additional set of roles, and Single Sign-On (SSO) access through
an enterprise Identity Provider (IdP). A group name within an IdP
system may be mapped to the same name to create a custom role. The
MSP roles and their responsibilities can be classified as:
MSP Root (esp_root)
A single root user who has complete control
over all aspects of the MSP account. A root user is intended to
be a fail-safe, fallback user account and should not be used for
regular day-to-day access, administration, and management.
MSP Super (esp_super)
A super administrator with privileges to manage
other user accounts within the provider account. Optionally, this
administrator manages and administers other customer networks.
Identity and Access Management (IAM) Administrator (esp_iam_admin)
An IAM administrator with privileges to manage
other user accounts within the MSP account.
ESP Machine Admin (esp_machine_admin)
An administrator with privileges to manage
machine (ION device) allocation and deallocation to child tenants.
MSP User (esp_user)
A user with privileges to manage and administer
other customer networks after an administrator has assigned the
user to a customer account.
In a MSP account, you may view, manage, or administer other client
networks and accounts, if:
The client and the provider authorize the client account
for management by the provider. This authorization takes place through
Prisma SD-WAN customer support for security and tracking.
Specific users of a provider account are assigned to
manage specific, approved client accounts for that provider. This
is handled by the users of a provider account who have super administrator
or administrator privileges.