PAN Resource Names
Table of Contents
Expand all | Collapse all
- Get Started with Common Services: Identity & Access
-
- About Identity and Access
- Add Access
- Remove Access
- About Roles and Permissions
- Assign a Role
- Assign a Batch of Predefined Roles
- Add a Custom Role
- Modify a Custom Role
- Clone a Role
- Permissions
- Strata Logging Service
- Common Services
- Add a Service Account
- Update a Service Account
- Remove a Service Account
-
- Add an Identity Federation
- Manually Configure a SAML Identity Provider
- Upload SAML Identity Provider Metadata
- Get the URL of a SAML Identity Provider
- Clone SAML Identity Provider Configuration
- Add or Delete an Identity Federation Owner
- Configure Palo Alto Networks as a Service Provider
- Delete an Identity Federation
- Map a Tenant for Authorization
- Update Tenant Mapping for Authorization
- PAN Resource Name Mapping Properties
- Manage Single Tenant Transition to Multitenant
- Release Updates
PAN Resource Names
Learn how to use access policy resource names for tenant mapping through the Common Services.
When assigning an access policy to a user or a service account (such as in mapping a tenant for SAML authorization purposes), the PAN Resource Name
identifies the tenant or tenant service group (TSG) hierarchy where you are applying
access policies.
- Properties for Predefined Roles
- Properties for Custom Roles
Properties for Predefined Roles
The properties available for assigning an access policy with a predefined role
follow:
Property | Description | Required |
---|---|---|
predefined_role_name
|
The role name as listed in all roles, not as displayed in the
web interface label.
|
Required
|
prn
|
Property resource name. Must be "prn".
|
Required
|
tsg_id
|
The tenant service group ID as displayed in the web interface.
|
Required
|
app_id
|
|
Optional
|
region
| Reserved |
Reserved
|
instance
| Reserved |
Reserved
|
resource_scope
|
The name of a Strata Cloud Manager scope object. A scope
object defines the specific folders, firewalls, Prisma Access
deployments, and snippet configurations that Strata Cloud
Manager admin roles can access and modify.
|
Optional
|
Use the properties in the following format:
<predefined_role_name>@prn:<TSG_ID>:<app_id>:<region>:<instance>:<resource_scope>
If app_id is left blank, then the role will apply to All Apps and Services.
Example: superuser@prn:1234567890::::
Properties for Custom Roles
The properties available for assigning an access policy with a custom role
follow:
Property | Description | Required |
---|---|---|
role_id
|
The role ID as displayed in the Custom Role ID
column in the format of
name:number.
|
Required
|
prn
|
Property resource name. Must be "prn".
|
Required
|
tsg_id
|
The tenant service group ID as displayed in the web interface.
|
Required
|
app_id
|
|
Optional
|
region
| Reserved |
Reserved
|
instance
| Reserved |
Reserved
|
resource_scope
|
The name of a Strata Cloud Manager scope object. A scope
object defines the specific folders, firewalls, Prisma Access
deployments, and snippet configurations that Strata Cloud
Manager admin roles can access and modify.
|
Optional
|
Use the properties in the following format:
<role_id>@prn:<TSG_ID>:<app_id>:<region>:<instance>:<resource_scope>
If app_id is left blank, then the role will apply to All Apps and Services.
Example: role:1987654321@prn:1234567890::::