enables you to add service accounts to
the platform as well as to the tenants you have created. A service
account is not tied to a specific user. After you create a service
account, you can use the service account’s client ID, secret, and
tenant service group ID to request an OAuth 2.0 access token from
the platform for authorization to use the account with Palo Alto
Networks product APIs. The authorization follows the OAuth 2.0 Client
Credentials grant flow standard.
From the Client Credentials, save the Client ID and Client
Secret. The secret is only presented once so save these credentials
in a secure location because you will need them to request access
tokens. You can copy and paste them individually or you can
. The display name
for this service account is formatted as <ServiceAccountName>@<tsg_id>.iam.panserviceaccount.
The tsg_id is the tenant service group ID.
All service accounts of a parent tenant are assigned the same
parent tenant service group ID.
All service accounts of a child tenant are assigned the same
child tenant service group ID.
All service accounts of a parent tenant are inherited by the
parent’s child tenants, so the parent can manage the child.
You can create service accounts in different tenant service
groups if you want to assign different roles for different access
permissions and also for future auditing purposes.
In the following example, the ExampleChildTenant is
specifically assigned a service account with the View Only Administrator
role for the Prisma Access application. The tenant service group
ID for this service account is common to this child tenant only.
ExampleChildTenant also inherits the service account from the ExampleParentTenant
with the MSP Superuser role for All Apps & Services, so that
the parent tenant can manage the child tenant. The tenant service
group for this service account is common to the parent tenant and
all child tenants of the parent tenant.