>
    Enable Role Based Access to AI Access Security
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Access Security
    3. Enable Role Based Access to AI Access Security
    Download PDF
    AI Access Security

    Enable Role Based Access to AI Access Security

    Table of Contents

    Enable Role Based Access to AI Access Security

    Enable role-based access to AI Access Security.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    One of the following:
    • AI Access Security license
    • CASB-PA license
    • CASB-X license
    Configure role-based access to AI Access Security by assigning a predefined role to your security administrators. The predefined roles you assign to your security administrators define which parts of AI Access Security they have full or partial read and write access privileges. Review the table below to understand the predefined roles that grant role-based access to AI Access Security. This information pertains only to access privileges specific to AI Access Security. For detailed information about all predefined roles and what other access privileges they grant, review the Roles and Permissions.
    Custom roles are not supported.
    Predefined AI Access Security Role
    Privileges
    Data Security admin
    Full read and write access privileges for AI Access Security.
    Multitenant Superuser
    Full read and write privileges for all available system-wide functions for all tenants in the particular multitenant hierarchy where the role is assigned.
    Security Administrator
    Read and write access for AI Access Security.
    Superuser
    Full read and write privileges for the tenant, including AI Access Security.
    In a multitenant hierarchy, the Superuser role is specific to a child tenant and not to the top-level parent tenant or to other child tenants.
    View Only Administrator
    Read-only privileges for AI Access Security

    Enable Role Based Access for AI Access Security (NGFW Managed by Panorama)

    Enable role-based access to AI Access Security for NGFW (Managed by Panorama).
    1. Configure a Panorama administrator account and admin role.
      Administrator accounts specify authentication and admin role privileges for a Panorama admin. A custom admin role allows granular customized access privileges for the Panorama admin. For example, if the assigned role privilege does not allow the admin access to Security policy rules then the admin can't implement policy rules to control access to GenAI apps.
    2. Enable role-based access for Enterprise Data Loss Prevention (E-DLP).
      This defines the access privileges to configure Enterprise DLP data patterns and profiles that define what is considered sensitive data that must be blocked. Skip this step if you have already configured role-based access to Enterprise DLP or don't want to configure access to Enterprise DLP for the user.
    3. Assign role-based access for AI Access Security.
      1. Select User and for the Identity Address, enter the email address for which you granted access in the previous step.
      2. For Apps & Services, select AI Access Security.
      3. Select a predefined Common Services Role.
    4. Submit.

    Enable Role Based Access for AI Access Security (Prisma Access Managed by Panorama)

    Enable role-based access to AI Access Security for Prisma Access (Managed by Panorama).
    1. Configure a Panorama administrator account and admin role.
      Administrator accounts specify authentication and admin role privileges for a Panorama admin. A custom admin role allows granular customized access privileges for the Panorama admin. For example, if the assigned role privilege does not allow the admin access to Security policy rules then the admin can't implement policy rules to control access to GenAI apps.
    2. Enable role-based access for Prisma Access.
      This defines which admins can push configuration changes from Panorama to your Prisma Access tenants.
    3. Enable role-based access for Enterprise Data Loss Prevention (E-DLP).
      This defines the access privileges to configure Enterprise DLP data patterns and profiles that define what is considered sensitive data that must be blocked. Skip this step if you have already configured role-based access to Enterprise DLP or don't want to configure access to Enterprise DLP for the user.
    4. Assign role-based access for AI Access Security.
      1. Select User and for the Identity Address, enter the email address for which you granted access in the previous step.
      2. For Apps & Services, select AI Access Security.
      3. Select a predefined Common Services Role.
    5. Submit.

    Enable Role Based Access for AI Access Security (NGFW Managed by Strata Cloud Manager)

    Enable role-based access to AI Access Security for NGFW (Managed by Strata Cloud Manager).
    1. Use one of the various ways to access Identity & Access.
    2. (New admins only) Add Access to your tenant where AI Access Security is active.
      This step is required only if the user for which you’re granting AI Access Security access isn't already registered with the Palo Alto Networks Customer Support Portal (CSP).
    3. Assign role-based access for AI Access Security.
      You don't need to configure a tenant role for a user if access to only Enterprise DLP is required.
      1. Select User and for the Identity Address, enter the email address for which you granted access in the previous step.
      2. For Apps & Services, select AI Access Security.
      3. Select a predefined Common Services Role.
    4. Add Another to enable additional role-based access to subscriptions for the admin on Strata Cloud Manager.
      Click Add Another for each subscription you want to enable role-based access. Skip this step if you only want to enable role-based access to AI Access Security.
      1. Enable role-based access for AIOps for NGFW.
        This controls which parts of Strata Cloud Manager the admin has access to. For example, if the assigned role privilege does not allow the admin access to Web Security policy rules then the admin can't implement policy rules to control access to GenAI apps.
      2. Enable role-based access for Enterprise Data Loss Prevention (E-DLP).
        This defines the access privileges to configure Enterprise DLP data patterns and profiles that define what is considered sensitive data that must be blocked.
      3. Enable role-based access for SaaS Security Inline if the license is active.
        Review the role privileges if you're assigning a predefined role to the admin. Role-based access to SaaS Security Inline can give your admin the privileges to tag and configure the risk score for GenAI apps.
    5. Submit.

    Enable Role Based Access for AI Access Security (Prisma Access Managed by Strata Cloud Manager)

    Enable role-based access to AI Access Security for Prisma Access (Managed by Strata Cloud Manager).
    1. Use one of the various ways to access Identity & Access.
    2. (New admins only) Add Access to your tenant where AI Access Security is active.
      This step is required only if the user for which you’re granting AI Access Security access isn't already registered with the Palo Alto Networks Customer Support Portal (CSP).
    3. Assign role-based access for AI Access Security.
      You don't need to configure a tenant role for a user if access to only Enterprise DLP is required.
      1. Select User and for the Identity Address, enter the email address for which you granted access in the previous step.
      2. For Apps & Services, select AI Access Security.
      3. Select a predefined Common Services Role.
    4. Add Another to enable additional role-based access to subscriptions for the admin on Strata Cloud Manager.
      Click Add Another for each subscription you want to enable role-based access. Skip this step if you only want to enable role-based access to AI Access Security.
      1. Enable role-based access for Prisma Access.
        This controls which parts of Strata Cloud Manager the admin has access to. For example, if the assigned role privilege does not allow the admin access to Web Security policy rules then the admin can't implement policy rules to control access to GenAI apps.
      2. Enable role-based access for Enterprise Data Loss Prevention (E-DLP).
        This defines the access privileges to configure Enterprise DLP data patterns and profiles that define what is considered sensitive data that must be blocked.
      3. Enable role-based access for SaaS Security Inline if the license is active.
        Review the role privileges if you're assigning a predefined role to the admin. Role-based access to SaaS Security Inline can give your admin the privileges to tag and configure the risk score for GenAI apps.
    5. Submit.

    © 2024 Palo Alto Networks, Inc. All rights reserved.