Add a Service Account Through the
Prisma SASE Multitenant Cloud Management Platform

Learn how to add a service account through the
Prisma SASE Multitenant Cloud Management Platform
.
For API usage, the
Prisma™ SASE Multitenant Cloud Management Platform
enables you to add service accounts to the platform as well as to the tenants you have created. A service account is not tied to a specific user. After you create a service account, you can use the service account’s client ID, secret, and tenant service group ID to request an OAuth 2.0 access token from the platform for authorization to use the account with Palo Alto Networks product APIs. The authorization follows the OAuth 2.0 Client Credentials grant flow standard.
After you add a tenant, you can add a service account from
Common Services
Identity & Access
.
Any service account you add to a parent tenant is also automatically added to all of that tenant's children, so that the parent can manage the children.
  1. Go to the hub and log in.
  2. Select
    SASE Portal
    .
  3. Select
    Multitenant Portal
    .
  4. Select
    Identity & Access
    .
  5. Select the tenant for which you want to add a service account.
    • Add a service account to a parent tenant if you want all the tenant’s children to inherit this service account. This allows the parent tenant service account access to all the child tenants.
    • Add a service account to a child tenant if you do not want inheritance between tenants.
  6. Select
    Add
    .
  7. Specify the following values to add a service account:
    1. select
      Service Account
      as the
      Identity Type
      .
    2. Specify a unique and meaningful
      Service Account Name
      .
    3. (
      Optional
      ) Enter the email address of the
      Service Account Contact
      ; this contact person is not added as a user.
    4. (
      Optional
      ) Add a
      Description
      for your service account.
  8. Select
    Next
    .
  9. From the Client Credentials, save the Client ID and Client Secret. The secret is only presented once so save these credentials in a secure location because you will need them to request access tokens. You can copy and paste them individually or you can
    Download CSV File
    .
  10. Select
    Next
    . The display name for this service account is formatted as <ServiceAccountName>@<tsg_id>.iam.panserviceaccount.
    • The tsg_id is the tenant service group ID.
    • All service accounts of a parent tenant are assigned the same parent tenant service group ID.
    • All service accounts of a child tenant are assigned the same child tenant service group ID.
    • All service accounts of a parent tenant are inherited by the parent’s child tenants, so the parent can manage the child.
    • You can create service accounts in different tenant service groups if you want to assign different roles for different access permissions and also for future auditing purposes.
    • Take note of the tsg_id for use in API commands
In the following example, the ExampleChildTenant is specifically assigned a service account with the View Only Administrator role for the Prisma Access application. The tenant service group ID for this service account is common to this child tenant only.
The ExampleChildTenant also inherits the service account from the ExampleParentTenant with the MSP Superuser role for All Apps & Services, so that the parent tenant can manage the child tenant. The tenant service group for this service account is common to the parent tenant and all child tenants of the parent tenant.

Recommended For You