1. Home
    2. Secure Access Service Edge
    3. Prisma™ SASE Multitenant Cloud Management Platform
    4. Manage Identity and Access Through the Prisma SASE Multitenant Cloud Management Platform
    5. About Roles and Permissions in the Prisma SASE Multitenant Cloud Management Platform

    About Roles and Permissions in the
    Prisma SASE Multitenant Cloud Management Platform

    Learn about roles and permissions in the
    Prisma SASE Multitenant Cloud Management Platform
    .
    The
    Prisma™ SASE Multitenant Cloud Management Platform
     supports role-based access control (RBAC). Using RBAC, you can manage tenant users, service accounts, and access to various resources within the
    Prisma SASE Multitenant Cloud Management Platform
    . Roles are required for users but are optional for service accounts.

    Permissions

    Permissions are actions that are allowed in the system. Permissions represent a specific set of application programming interface (API) calls that you use to read, write, and delete objects within the system. All permissions in the platform are grouped into roles.

    Multitenant Platform Roles

    Multitenant platform roles are a predefined set of permissions for managing tenants in a multitenant hierarchy. These roles include a collection of one or more system permissions that are specific to the platform. The following table describes
    Prisma SASE Multitenant Cloud Management Platform
     roles and responsibilities.
    Multitenant Platform Roles
    Permissions
    MSP Superuser
    Read and write access to all functions of all apps and services in all tenants in a multitenant hierarchy. Includes all permissions assigned to all roles, including Superuser. Assign this role only to users or service accounts that require unrestricted access.
    MSP IAM Administrator
    Read and write access to identity and authentication functions for all tenants in a multitenant hierarchy. Restricted to read-only access for logs.
    When you add user access or add a service account, you can assign a predefined role to execute specific functions within the platform. You can also assign a batch of predefined roles to assign a role in bulk to multiple users or service accounts at the same time.

    Enterprise Roles

    Enterprise roles are a predefined set of permissions for managing enterprise applications and services. These roles include a collection of one or more system permissions for any app to use. The following table describes enterprise roles and responsibilities.
    Enterprise Roles
    Permissions
    Auditor
    Read-only access to functions related to all configurations, including subscriptions and licenses for the selected app. Assign this role to administrators who are tasked with examining the system for accuracy.
    Business Administrator
    Read and write access to all subscription and license management for the selected app. Includes read-only access to other functions, such as access policies, service accounts, and tenant service group operations. Assign this role to administrators who manage devices, licenses, and subscriptions.
    Data Security Administrator
    Read and write access to all data security functions for the selected app. Includes read-only access to logs. This role includes a very small subset of privileges included inthe Security Admin role. Assign this role to administrators who manage only decryption rule configurations.
    Deployment Administrator
    Access to functions related to deployments. In addition, this role provides read-only access to other functions.
    IAM Administrator
    Read and write access to identity and authentication functions for the selected app. Includes read-only access to logs. Assign this role to administrators who manage users.
    Network Administrator
    Read and write access to network policy configurations for the selected app. Includes read-only access to other functions: alerts, license quotas, devices, and tenant service group operations. Assign this role to administrators who need to maintain authentication, certificates, and decryption rules.
    Security Administrator
    Read and write access to Security policy configurations for the selected app. Includes read-only access to other functions, such as alerts, license quotas, devices, and tenant service group operations. Assign this role to administrators who need to maintain authentication, certificates, and decryption rules.
    SOC Analyst
    Read-only access to functions related to logs, reports, events, alerts, and all configurations for the selected app. Assign this role to administrators who need to view and investigate threats and trends.
    Superuser
    Read and write access to all available system-wide functions for the selected app. Includes all permissions assigned to all other roles, including MSP Superuser. Assign this role only to users or service accounts that require unrestricted access.
    Tier 1 Support
    Read and write access to remediation workflows that update network, security, and device configurations for the selected app. Includes read-only access for alerts, access policies, configurations, license quotas, devices, and tenant service group operations.
    Tier 2 Support
    Read and write access to remediation workflows that update network, security, and device configurations for the selected app. Includes read-only access for alerts, access policies, configurations, license quotas, devices, and tenant service group operations.
    View Only Administrator
    Read-only access to all available system-wide functions for the selected app.
    When you add user access or add a service account, you can assign a predefined role to execute specific functions within a network. You can also assign a batch of predefined roles to assign a role in bulk to multiple users or service accounts at the same time.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo