Add SaaS Security Inline Administrators

Create additional administrator accounts with specific privileges on SaaS Security Inline.
Initially, to create new administrator accounts for SaaS Security Inline access, log in as the administrator assigned to the user specified in the activation email. With this default account, you can create additional administrator accounts. Unlike for SaaS Security API, there are no unique roles for SaaS Security Inline; instead SaaS Security Inline uses a subset of those roles to enforce SaaS Security Inline role permissions.
  • If you add an administrator with an email that
    already exists
    in Customer Support Portal (CSP), that administrator’s SaaS Security account will be linked to the administrator’s CSP account.
  • If you add an administrator with an email that
    does not exist
    in CSP, then an account will be automatically created for the administrator on SaaS Security Inline, as well as an account in CSP tied to your organization.
Learn about the roles required based on your platform:

Access SaaS Security Features for Cloud Managed Prisma Access

For Cloud Managed Prisma Access, you must have both a Hub account with the privileges provided by a Hub role and an administrator account on SaaS Security Inline.
SaaS Admin
can access SaaS Security settings but cannot push configuration changes to Cloud Managed Prisma Access.
The following Hub roles enable administrators to collaborate on SaaS Security:
Action
SaaS Admin
Data Security Admin
Web Security Admin
Security Admin
Configure SaaS Security settings
Yes
Yes
No
Yes
View SaaS Security settings
Yes
Yes
Yes
Yes
Author and submit rule recommendations
Yes
Yes
No
Yes
Import rule recommendations
No
No
Yes
Yes
Push rule recommendations
No
No
No
Yes
  1. Navigate to SaaS Security Inline.
  2. Select
    Settings
    Admin Accounts
    and
    Add Administrator
    .
  3. Enter the
    Name
    and
    Email
    address of the new administrator.
  4. Choose an
    Authentication Type
    :
    • Single Sign-On (SSO)
      PAN SSO enables you to grant administrator access with seamless authentication using a single set of credentials. This option eliminates the need for application or service specific passwords. If you enable SSO, you do not have to create administrator accounts on the local database.
    • Local Authentication
      —Local authentication grants access to SaaS Security after administrator successfully presents a password.
    Local authentication is not supported for SaaS Security activated on the hub.
  5. Select the administrative
    Role
    :
    You can select any of the following predefined roles.
    • Super Admin
      —A read-write (
      Full Control
      ) administrator account that allows full functionality within SaaS Security Inline, including creating administrator accounts and assigning administrator roles.
    • Admin
      —A read-write administrator account that allows full functionality within SaaS Security Inline, including the ability to create policy recommendations and create additional administrator accounts.
    • Limited Admin
      —An administrator account that allows the administrator to view SaaS visibility data and the SaaS Security Report for risk assessment. For example, this administrator can view policy recommendations, but cannot apply predefined policy recommendations.
    • Read Only
      —An administrator account that allows the administrator to view SaaS visibility data and the SaaS Security Report for risk assessment. However, this administrator cannot make changes. For example, this administrator can view policy recommendations, but cannot apply predefined policy recommendations.
  6. Select the default
    Language
    for the new administrator.
  7. Save
    your changes.
    To verify an administrator’s privileges, use
    Search name or email
    or use the
    Roles
    filter. You can also download a CSV file to view the complete list of all administrative users configured on SaaS Security.

Access SaaS Security Inline Features for NGFW and Panorama Managed Prisma Access

To enable administrators to collaborate on SaaS Security, each administrator requires the necessary permissions on both the security platform and SaaS Security. Presumably you’ve already assigned your firewall administrators to an appropriate firewall admiistrator role or Panorama Managed Prisma Access administrator role. The next step is to add administrators to SaaS Security so that they can access the necessary SaaS Security Inline features.
  1. Navigate to SaaS Security Inline.
  2. Select
    Settings
    Admin Accounts
    and
    Add Administrator
    .
  3. Enter the
    Name
    and
    Email
    address of the new administrator.
  4. Choose an
    Authentication Type
    :
    • Single Sign-On (SSO)
      PAN SSO enables you to grant administrator access with seamless authentication using a single set of credentials. This option eliminates the need for application or service specific passwords. If you enable SSO, you do not have to create administrator accounts on the local database.
    • Local Authentication
      —Local authentication grants access to SaaS Security after administrator successfully presents a password.
    Local authentication is not supported for SaaS Security activated on the hub.
  5. Select the administrative
    Role
    :
    You can select any of the following predefined roles.
    • Super Admin
      —A read-write (
      Full Control
      ) administrator account that allows full functionality within SaaS Security Inline, including creating administrator accounts and assigning administrator roles.
    • Admin
      —A read-write administrator account that allows full functionality within SaaS Security Inline, including the ability to create policy recommendations and create additional administrator accounts.
    • Limited Admin
      —An administrator account that allows the administrator to view SaaS visibility data and the SaaS Security Report for risk assessment. For example, this administrator can view policy recommendations, but cannot apply predefined policy recommendations.
    • Read Only
      —An administrator account that allows the administrator to view SaaS visibility data and the SaaS Security Report for risk assessment. However, this administrator cannot make changes. For example, this administrator can view policy recommendations, but cannot apply predefined policy recommendations.
  6. Select the default
    Language
    for the new administrator.
  7. Save
    your changes.
    To verify an administrator’s privileges, use
    Search name or email
    or use the
    Roles
    filter. You can also download a CSV file to view the complete list of all administrative users configured on SaaS Security.

Recommended For You