>
    Manage: Access Control
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Manage: Access Control
    Download PDF
    Strata Cloud Manager

    Manage: Access Control

    Table of Contents

    Manage: Access Control

    Configure scope management to enforce role-based access control for Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • NGFW, including those funded by Software NGFW Credits
    Each of these licenses include access to Strata Cloud Manager:
    → The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
    Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user account that specifies a role and authentication method. Prisma Access Managed by Strata Cloud Manager implements custom RBAC, to enable you to manage roles or specific permissions, and assign access rights to administrative users. Using RBAC, you can manage users and their access to various resources within Managed by Strata Cloud Manager.
    RBAC is not supported for SaaS Security Inline and Behavior Threats. All tabs under Discovered Apps and Behavior Threats are visible to all users, regardless of their assigned roles.

    Administrator Roles

    Your role determines your access and permissions on the service. When you assign a role, you define the permission group and account groups the administrator can manage. Prisma Access includes the following built-in permission groups for administrators.
    • App Administrator—Has full access to the given app, including all instances added to the app in the future. App Administrators can assign roles for app instances, and they can also activate app instances specific to that app.
    • Instance Administrator—Has full access to the app instance for which this role is assigned. The Instance Administrator can also make other users an Instance Administrator for the app instance. If the app has predefined or custom roles, the Instance Administrator can assign those roles to other users.
    • Super Reader—Can view all config elements, logs, and settings. Super Readers can’t make changes to other settings.
    • Audit Admin—Can view and manage logs and log settings only. Audit Admins can’t make changes to other settings.
    • Crypto Admin—Can view logs, and manage cryptographic settings such as IKE, IPSec, master key management, and certificate configuration. Crypto Admins can’t view or make changes to other settings.
    • Security Admin—Can view logs and manage all settings except the cryptographic settings that are available to the Crypto Admin role.
    • Web Security Admin—Can view configuration elements related to Web Security only.
    • Data Loss Prevention Admin—Can access Enterprise DLP settings but cannot push configuration changes to Prisma Access.
    • Data Security Admin—Can access Enterprise DLP and SaaS Security controls, but cannot push configuration changes to Prisma Access.
    • SaaS Admin—Can access SaaS Security settings but cannot push configuration changes to Prisma Access.

    Custom Role-Based Access Control — Setup

    Here’s how to use a predefined role or create a custom role, assign a role to a user, and manage the user scope when you access the Prisma Access application.
    1. Add a Custom Role Through Common Services
      If you require more granular access control than the predefined roles provide, you can add custom roles to define which permissions are enforced for your users. Similar to predefined roles, custom roles are a set of permissions and permission sets. Unlike predefined roles, each custom role is assignable only to the users in the hierarchy under the Tenant Service Group (TSG) where it is defined. This avoids name conflicts between similarly named custom roles defined by different customers.
      If you add a custom role at the top level (parent level) of the hierarchy, that role is assigned to the tenants nested below so that the parent tenant can manage the child tenants.
    2. Add User Access Through Common Services
      The Common Services: Access and Identity enables you to add user access to the platform as well as to the tenants you created.
    3. Assign a Predefined Role to a Tenant User or Service Account Through Common Services
      If you already added users and want to add additional roles, you can also assign a batch of predefined roles. Review additional information about roles and permissions.
    4. Create a New Scope in the Prisma Access Managed by Strata Cloud Manager UI
      Prisma Access Managed by Strata Cloud Manager enables you (as an administrator) to assign a management scope to other Strata Cloud Manager users (non-administrator) to associate permissions based on scopes such as folders and snippets.
      The permissions are actions that are allowed in the system. Permissions represent a specific set of application programming interface (API) calls that you use to read, write, and delete objects within the systems. All permissions are grouped into roles.

    © 2025 Palo Alto Networks, Inc. All rights reserved.