About Roles and Permissions in the
Prisma SASE Multitenant Cloud Management Platform

Learn about roles and permissions in the
Prisma SASE Multitenant Cloud Management Platform
.
The
Prisma™ SASE Multitenant Cloud Management Platform
supports role-based access control (RBAC). Using RBAC, you can manage tenant users, service accounts, and access to various resources within the
Prisma SASE Multitenant Cloud Management Platform
. Roles are required for users but are optional for service accounts.

Permissions

Permissions are actions that are allowed in the system. Permissions represent a specific set of application programming interface (API) calls that you use to read, write, and delete objects within the system. All permissions in the platform are grouped into roles.

Multitenant Platform Roles

Multitenant platform roles are a predefined set of permissions for managing tenants in a multitenant hierarchy. These roles include a collection of one or more system permissions that are specific to the platform. The following table describes
Prisma SASE Multitenant Cloud Management Platform
roles and responsibilities.
Multitenant Platform Roles
Permissions
MSP Superuser
Read and write access to all functions of all apps and services in all tenants in a multitenant hierarchy. Includes all permissions assigned to all roles, including Superuser. Assign this role only to users or service accounts that require unrestricted access.
MSP IAM Administrator
Read and write access to identity and authentication functions for all tenants in a multitenant hierarchy. Restricted to read-only access for logs.
When you add user access or add a service account, you can assign a predefined role to execute specific functions within the platform. You can also assign a batch of predefined roles to assign a role in bulk to multiple users or service accounts at the same time.

Enterprise Roles

Enterprise roles are a predefined set of permissions for managing enterprise applications and services. These roles include a collection of one or more system permissions for any app to use. The following table describes enterprise roles and responsibilities.
Enterprise Roles
Permissions
Auditor
Read-only access to functions related to all configurations, including subscriptions and licenses for the selected app. Assign this role to administrators who are tasked with examining the system for accuracy.
Business Administrator
Read and write access to all subscription and license management for the selected app. Includes read-only access to other functions, such as access policies, service accounts, and tenant service group operations. Assign this role to administrators who manage devices, licenses, and subscriptions.
Data Security Administrator
Read and write access to all data security functions for the selected app. Includes read-only access to logs. This role includes a very small subset of privileges included inthe Security Admin role. Assign this role to administrators who manage only decryption rule configurations.
Deployment Administrator
Access to functions related to deployments. In addition, this role provides read-only access to other functions.
IAM Administrator
Read and write access to identity and authentication functions for the selected app. Includes read-only access to logs. Assign this role to administrators who manage users.
Network Administrator
Read and write access to network policy configurations for the selected app. Includes read-only access to other functions: alerts, license quotas, devices, and tenant service group operations. Assign this role to administrators who need to maintain authentication, certificates, and decryption rules.
Security Administrator
Read and write access to Security policy configurations for the selected app. Includes read-only access to other functions, such as alerts, license quotas, devices, and tenant service group operations. Assign this role to administrators who need to maintain authentication, certificates, and decryption rules.
SOC Analyst
Read-only access to functions related to logs, reports, events, alerts, and all configurations for the selected app. Assign this role to administrators who need to view and investigate threats and trends.
Superuser
Read and write access to all available system-wide functions for the selected app. Includes all permissions assigned to all other roles, including MSP Superuser. Assign this role only to users or service accounts that require unrestricted access.
Tier 1 Support
Read and write access to remediation workflows that update network, security, and device configurations for the selected app. Includes read-only access for alerts, access policies, configurations, license quotas, devices, and tenant service group operations.
Tier 2 Support
Read and write access to remediation workflows that update network, security, and device configurations for the selected app. Includes read-only access for alerts, access policies, configurations, license quotas, devices, and tenant service group operations.
View Only Administrator
Read-only access to all available system-wide functions for the selected app.
When you add user access or add a service account, you can assign a predefined role to execute specific functions within a network. You can also assign a batch of predefined roles to assign a role in bulk to multiple users or service accounts at the same time.

Recommended For You