Configure Dynamic Privilege Access Settings
Focus
Focus
Prisma Access

Configure Dynamic Privilege Access Settings

Table of Contents

Configure Dynamic Privilege Access Settings

Learn about the Dynamic Privilege Access functionality in this section.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
For IT Enterprise and IT Enabled Services (ITES) companies that need to control which users have access to their customer projects, Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. These companies typically assign several customer projects to employees and provide siloed access to these projects so that so that an authorized user can access only one customer project at a time.

What Is Dynamic Privilege Access?

Dynamic Privilege Access is a feature in Prisma Access that provides dynamic privileges for your users based on the workflow or project that your users select in the Prisma Access Agent. Your users can have dynamic privileges based on the combination of the user group and IP pool that is assigned to a project. This unique combination defines a project. With Dynamic Privilege Access, you can isolate resources in your network so that they are only accessible to your users according to the projects they are assigned to.
A new predefined role called the Project Admin is available on Prisma Access to allow project administrators to create and manage project definitions. Project administrators have the ability to map projects to select Prisma Access location groups, and create IP address assignments using DHCP based on the project and location group. Project administrators can manage only the projects that they are assigned to in Strata Cloud Manager.
When your end users log in to a Prisma Access Agent that is enabled for Dynamic Privilege Access on their managed devices, the following workflow takes place:
  1. Your end user selects a project that they are assigned to (for example, Project 1).
  2. Their identity is authenticated in Cloud Identity Engine, which maps the user's user group to the project.
  3. Upon successful authentication, and their user group matches the project criteria set up by the project admin, the user has access to resources in the network through project-specific settings for Project 1 and security rules that provide security posture and access control on a per-project basis. The security infrastructure applies security rules to restrict user access to only the resources and applications belonging to that project. Access to resources and applications from other projects isn't allowed.
  4. When the user switches to a different project (for example, Project 2), they are signed out of the previous project (Project 1). They can then access the resources for the second project based on the project-specific settings and security rules for that project.
You can gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity, and view the service consumption and security posture in your network.