: User Roles for IoT Security
Focus
Focus

User Roles for IoT Security

Table of Contents

User Roles for IoT Security

Learn about IoT Security user roles.
Role-based access control (RBAC) enables you to assign privileges and access rights to administrative users through role assignment. You create user accounts in the Customer Support Portal (CSP), assign them roles in the hub, and limit the data they can access by site in the IoT Security portal. For step-by-step instructions about creating users for IoT Security, see Create IoT Security Users.
IoT Security supports the following user roles:
  • App Administrator
  • Instance Administrator
  • Owner
  • Administrator
  • Read only
The App Administrator and Instance Administrator are common roles that are available to every Palo Alto Networks product application. For IoT Security, they provide the same privileges as Owner. To learn more about them, see Available Roles.
The three user roles specifically for the IoT Security portal are Owner, Administrator, and Read only.
User Role Role DefinitionAccess Control
Owner
(Also App Administrator and Instance Administrator)
Access to all functions in the IoT Security portal
All read/write privileges as administrators plus:
  • Set a global idle timeout
  • Change the device-to-site assignment method from one based on firewall locations to one based on IP addresses
  • View audit logs for all users
  • Set scanning permissions per administrator account
  • Control which sites users with administrator and read-only privileges can access
  • Control who receives notifications of security alerts and system alerts
Administrator
Access to most functions in the IoT Security portal
Create, edit, and delete IoT Security configurations and manage their own account preferences:
  • See their own user role and list of sites they can access
  • Create, download, and delete API access keys
  • Update contact info
  • Modify their login preference if accessing multiple deployments
  • Shorten the idle timeout
  • Enable and disable alert sounds
  • Enable and disable alert notifications via SMS and email
  • Manage their own user account preferences
  • See the audit log for their own activities
Read only
Can only view data in the IoT Security portal
  • View IoT Security data for the sites they can access
  • Manage their own user account preferences
  • See the audit log for their own activities
For Panorama-managed Prisma Access tenants with an IoT Security add-on license, add the following types of users to give them access privileges to both Prisma Access and IoT Security:
Prisma SASE Platform User RolesIoT Security User Roles
Superuser, MSP SuperuserOwner
N.A.Administrator*
View Only AdministratorRead-only
* There is no user role in Prisma SASE that maps to the Administrator role in IoT Security.
For new Panorama-managed Prisma Access customers as of August 2022, or an existing Panorama-managed Prisma Access customer whose Prisma Access instance has been transitioned to the Prisma SASE platform, use Common Services: Identity & Access for managing user access, roles, and service accounts.
For existing Panorama-managed Prisma Access customers whose Prisma Access instance has not yet been transitioned to the Prisma SASE Platform, you can continue using the existing process to create administrative users until the transition completes.