Add a Service Account Through the Prisma SASE Multitenant
Cloud Management Platform
Prisma SASE Multitenant
Cloud Management Platform
Learn how to add a service account through the
Prisma SASE Multitenant
Cloud Management Platform
.For API usage, the
Prisma™ SASE
Multitenant Cloud Management Platform
enables you to add service accounts to
the platform as well as to the tenants you have created. A service
account is not tied to a specific user. After you create a service
account, you can use the service account’s client ID, secret, and
tenant service group ID to request an OAuth 2.0 access token from
the platform for authorization to use the account with Palo Alto
Networks product APIs. The authorization follows the OAuth 2.0 Client
Credentials grant flow standard. After you add a tenant, you can add a service account from .
Any
service account you add to a parent tenant is also automatically
added to all of that tenant's children, so that the parent can manage
the children.
- Go to the hub and log in.
- SelectSASE Portal.
- SelectMultitenant Portal.
- SelectIdentity & Access.
- Select the tenant for which you want to add a service account.
- Add a service account to a parent tenant if you want all the tenant’s children to inherit this service account. This allows the parent tenant service account access to all the child tenants.
- Add a service account to a child tenant if you do not want inheritance between tenants.
- SelectAdd.
- Specify the following values to add a service account:
- selectService Accountas theIdentity Type.
- Specify a unique and meaningfulService Account Name.
- (Optional) Enter the email address of theService Account Contact; this contact person is not added as a user.
- (Optional) Add aDescriptionfor your service account.
- SelectNext.
- From the Client Credentials, save the Client ID and Client Secret. The secret is only presented once so save these credentials in a secure location because you will need them to request access tokens. You can copy and paste them individually or you canDownload CSV File.
- SelectNext. The display name for this service account is formatted as <ServiceAccountName>@<tsg_id>.iam.panserviceaccount.
- The tsg_id is the tenant service group ID.
- All service accounts of a parent tenant are assigned the same parent tenant service group ID.
- All service accounts of a child tenant are assigned the same child tenant service group ID.
- All service accounts of a parent tenant are inherited by the parent’s child tenants, so the parent can manage the child.
- You can create service accounts in different tenant service groups if you want to assign different roles for different access permissions and also for future auditing purposes.
- Take note of the tsg_id for use in API commands
In the following example, the ExampleChildTenant is
specifically assigned a service account with the View Only Administrator
role for the Prisma Access application. The tenant service group
ID for this service account is common to this child tenant only.
The
ExampleChildTenant also inherits the service account from the ExampleParentTenant
with the MSP Superuser role for All Apps & Services, so that
the parent tenant can manage the child tenant. The tenant service
group for this service account is common to the parent tenant and
all child tenants of the parent tenant.
