Common Services: Identity and Access
    : Add a Service Account Through Common Services
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. Common Services: Identity and Access
    4. Manage Identity and Access Through Common Services
    5. Add a Service Account Through Common Services
    Download PDF

    Common Services: Identity and Access

    Add a Service Account Through Common Services

    Table of Contents

    Add a Service Account Through Common Services

    Learn how to add a Common Services service account.
    For API usage, Common Services enables you to add service accounts to the platform as well as to the tenants you have created. A service account is not tied to a specific user. After you create a service account, you can use the service account’s client ID, secret, and tenant service group ID to request an OAuth 2.0 access token from the platform for authorization to use the account with Palo Alto Networks product APIs. The authorization follows the OAuth 2.0 Client Credentials grant flow standard.
    After you add a tenant, you can add a service account.
    Any service account you add to a parent tenant is also automatically added to all of that tenant's children, so that the parent can manage the children.
    1. Use one of the various ways to access Common ServicesIdentity & Access.
    2. Select the tenant for which you want to add a service account.
      • Add a service account to a parent tenant if you want all the tenant’s children to inherit this service account. This allows the parent tenant service account access to all the child tenants.
      • Add a service account to a child tenant if you do not want inheritance between tenants.
    3. Select Add.
    4. Specify the following values to add a service account:
      1. select Service Account as the Identity Type.
      2. Specify a unique and meaningful Service Account Name.
      3. (Optional) Enter the email address of the Service Account Contact; this contact person is not added as a user.
      4. (Optional) Add a Description for your service account.
    5. Select Next.
    6. From the Client Credentials, save the Client ID and Client Secret. The secret is only presented once so save these credentials in a secure location because you will need them to request access tokens. You can copy and paste them individually or you can Download CSV File.
    7. Select Next. The display name for this service account is formatted as <ServiceAccountName>@<tsg_id>.iam.panserviceaccount.
      • The tsg_id is the tenant service group ID.
      • All service accounts of a parent tenant are assigned the same parent tenant service group ID.
      • All service accounts of a child tenant are assigned the same child tenant service group ID.
      • All service accounts of a parent tenant are inherited by the parent’s child tenants, so the parent can manage the child.
      • You can create service accounts in different tenant service groups if you want to assign different roles for different access permissions and also for future auditing purposes.
      • Take note of the tsg_id for use in API commands
    8. (Optional) Assign a Predefined Role to a Tenant User or Service Account.
    In the following example, the ExampleChildTenant is specifically assigned a service account with the View Only Administrator role for the Prisma Access application. The tenant service group ID for this service account is common to this child tenant only.
    The ExampleChildTenant also inherits the service account from the ExampleParentTenant with the Multitenant Superuser role for All Apps & Services, so that the parent tenant can manage the child tenant. The tenant service group for this service account is common to the parent tenant and all child tenants of the parent tenant.

    © 2024 Palo Alto Networks, Inc. All rights reserved.