About Identity and Access in the
Prisma SASE Multitenant Cloud Management Platform

Learn about identity and access in the
Prisma SASE Multitenant Cloud Management Platform
.
When you add an identity in the
Prisma SASE Multitenant Cloud Management Platform
, such as user access or a service account, you are adding the ability to access the platform at a certain level of the tenant hierarchy.
The access that you grant when you add user access, for example, is a combination of the location where you add the user’s access within the hierarchy and the role you assign to the user in that location.
Consider an example using tenants called ParentTenant, ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest in the following screen-shot.
If you add user access at the top level (ParentTenant) of the hierarchy, that access is inherited by the tenants nested below it (ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest).
That means you can add user access to the ParentTenant, assign the app of
All Apps & Services
and the role of
MSP Superuser
, and then the user gets full access to manage all apps and services within all the levels of that particular nested hierarchy (which includes ParentTenant, ChildTenantEast, ChildTenantNorthEast, and ChildTenantWest). Alternatively, you could add user access to the ParentTenant, and assign the app of
Prisma Access
and the role of
View Only Administrator
, and the user gets read only access to just the Prisma Access product in tenants within that particular nested hierarchy.
Consider an example using the tenant called ChildTenantEast in the preceding screen-shot. You can add user access to ChildTenantEast, assign the app of
All Apps & Services
and the role of
MSP Superuser
, and then the user gets full access to manage all apps and services within that particular nested hierarchy (which includes ChildTenantEast, ChildTenantNorthEast). ParentTenant access is inherited by the tenants nested below it, so the app and role assigned to the user at ParentTenant level also applies to that user at ChildTenantEast and ChildTenantNorthEast levels. Inheritance does not apply from the bottom up, so a user added at ChildTenantEast does not have access to Parent Tenant. Also a user added to ChildTenantNorthEast does not have access to ChildTenantEast or ParentTenant.
You can add the same user access to multiple tenants, assigning different roles to that user for various apps and services.
When you delete user access from a tenant, this action does not delete the user from the platform as a whole, it only deletes the user’s access from the individual tenant. Consider an example using the tenant called ChildTenantEast. If you delete a user’s access from ChildTenantEast, the user still has access to ChildTenantNorthEast because the access was previously inherited.
If you integrate with a third party IDP for your enterprise, you do not have to create user accounts explicitly in the platform as they will be automatically added when they are successfully authenticated. However, roles need to be assigned for all users. To ensure a seamless login and authorization experience for your users, you can add users and assign roles for them ahead of time.

Recommended For You