Learn how to add a Common Services service account.
For API usage, Common Services enables you to add service accounts to the
platform as well as to the tenants you have created. A service account
is not tied to a specific user. After you create a service account, you
can use the service account’s client ID, secret, and tenant service
group ID to request an OAuth 2.0 access token from the platform for
authorization to use the account with Palo Alto Networks product
APIs. The authorization follows the OAuth 2.0 Client Credentials
grant flow standard.
After you add a tenant, you can add a service
account.
Any
service account you add to a parent tenant is also automatically
added to all of that tenant's children, so that the parent can manage
the children.
Select the tenant for which you want to add a service
account.
Add a service account to a parent tenant if you want
all the tenant’s children to inherit this service account. This
allows the parent tenant service account access to all the child
tenants.
Add a service account to a child tenant if you do not want inheritance
between tenants.
Select Add.
Specify the following values to add a service account:
select Service Account as the Identity
Type.
Specify a unique and meaningful Service Account Name.
(Optional) Enter the email address of the Service
Account Contact; this contact person is not added as a user.
(Optional) Add a Description for
your service account.
Select Next.
From the Client Credentials, save the Client ID and Client
Secret. The secret is only presented once so save these credentials
in a secure location because you will need them to request access
tokens. You can copy and paste them individually or you can Download
CSV File.
Select Next. The display name
for this service account is formatted as <ServiceAccountName>@<tsg_id>.iam.panserviceaccount.
The tsg_id is the tenant service group ID.
All service accounts of a parent tenant are assigned the same
parent tenant service group ID.
All service accounts of a child tenant are assigned the same
child tenant service group ID.
All service accounts of a parent tenant are inherited by the
parent’s child tenants, so the parent can manage the child.
You can create service accounts in different tenant service
groups if you want to assign different roles for different access
permissions and also for future auditing purposes.
In the following example, the ExampleChildTenant is specifically assigned a service account with
the View Only Administrator role for the Prisma Access application. The
tenant service group ID for this service account is common to this child tenant
only.
The ExampleChildTenant also inherits the service account from the ExampleParentTenant with the
Multitenant Superuser role for All Apps & Services, so that the parent tenant
can manage the child tenant. The tenant service group for this service account is
common to the parent tenant and all child tenants of the parent tenant.