To modify RBAC-level access for
tenant-level administrative users in Panorama, you
create a tenant-level
administrative user, use an
Admin Role Profile with
a
Role of
Device Group and Template,
and
Enable,
Disable,
or give
Read Only access to areas of the
Panorama
Web UI. Use this method to manage
access to all Panorama components for tenant-level users, with the
exception of access to the Cloud Services plugin where you manage
Prisma Access.
If you want to restrict a tenant-level user
from configuring the Prisma Access components in Panorama, you cannot
use Admin Roles. To disallow users from configuring Prisma Access-specific
configuration tasks, you must
prevent the user from
accessing the Cloud Services plugin, which also prevents
them from viewing it. Using this method, you can create an administrative
user for a security professional who has permissions to make changes
to security policies and push those changes to Panorama, but cannot
view or make any changes to Prisma Access configuration.
You
can either enable or disable access to the Cloud Services plugin
for a user, but you cannot give a user read-only access; if a user
has access to view the Cloud Services plugin, the user can also
make configuration changes to its components, including Prisma Access.
The
following table shows sample tenant-level administrative roles and
the steps you perform to create those roles.
Sample Tenant-Level Configuration | Configuration Task |
Create a networking-focused user who: | Create a tenant-level
administrative user, enabling Save and Commit permissions
in the Admin Role Profile, and disabling
or making Read Only any permissions that
you don’t want the tenant-level administrative user to have. |
Create a security-focused user who:Can
commit to Panorama Cannot view, or make changes to, the Cloud Services plugin Cannot push configuration to Prisma Access (requires the superuser
to push the configuration)
| To prevent a tenant-level administrative user
from viewing or accessing the plugin, remove plugin access
for a tenant-level administrator. For all other Panorama-related
permissions, change the Admin Role permissions for the user. |
Create a hybrid user who:Has read-only access
to the Cloud Services plugin Has read-write access to the security policy Cannot push the configuration to Prisma Access (requires the
superuser to push the configuration)
| This configuration is not possible. You
cannot make the Cloud Services plugin read-only. You can only provide
access to admin users to view it and use it to make configuration
changes, or disallow them from viewing it. |