Focus

Cloud NGFW for AWS

Invite Users to Cloud NGFW for AWS

Table of Contents

Invite Users to Cloud NGFW for AWS

Learn about the various user roles and how to invite users to a Cloud NGFW for AWS tenant.

As a Tenant Admin, you can invite additional users to help manage your Cloud NGFW deployment. You can then place these new users into the roles necessary for their level of access. When you invite a user to the Cloud NGFW tenant, by specifying the user’s email address and assigning one or more Cloud NGFW roles, the Cloud NGFW tenant sends the user an email that includes a registration link and temporary password. After logging in for the first time, the new user will be prompted to create a new password. Until the invited user has accepted the invitation and logged in to the tenant, the invitation is considering pending.

Cloud NGFW Role	Permissions
Admin	Add AWS Accounts. Invite users and assign roles. Create NGFW. Create/manage global and local rulestacks.
Tenant Admin	Add AWS Accounts. Invite users and assign roles.
Tenant Reader	Read all firewall resources and its settings. Read all global and local rulestacks. Read all tenant users and tenant settings.
Local Firewall Admin	Create NGFW. Associate local rulestack with NGFWs Local firewall administrators can only create NGFWs and associate rulestacks within a specified AWS account.
Local Rulestack Admin	Create local rulestacks. Associate local rulestacks with NGFWs Each Local Rulestack Admin has an account ID associated with it. This allows local rulestacks created by that admin with NGFWs in the same account.

The email address domain of users invited by the tenant admin must match the email address domain of the tenant admin’s login credentials.

Log in to the Cloud NGFW tenant.
Select SettingsUsers and RolesInvite User.
Enter the FirstName, LastName, and Email address of the invitee.
Select the new user’s role or roles from the Roles drop-down. You can now invite an existing user to a Cloud NGFW tenant.
Click Create.

After logging in you will be prompted to Select a Tenant and click Continue. If you are a new user, you will receive an activation email through which you can register to SSO and log in to the tenant. Existing users can login to the tenant directly using your SSO.

Considerations for Multi-Account Use Cases

If an AWS client account is already added to a tenant from the CNGFW console, then during the subscription process the user has a choice to login with exiting tenant or create a new one. The table below illustrates these use cases:

Use case	Steps
If you are already registered to SSO	You will not receive an activation email
If you are an existing user who is not registered to SSO	You will receive an activation email to complete registration to SSO. However, you can still choose to sign in like earlier, until you complete the registration.

Use a single email id to register to different tenants using Login with an Existing Tenant option.

After logging in you will be prompted to Select a Tenant and click Continue. If you are a new user, you will receive an activation email through which you can register to SSO and log in to the tenant. Existing users can login to the tenant directly using your SSO.

Cross-Account Role CFT Permissions for Cloud NGFW

Manage Cloud NGFW for AWS Users