Use the Cloud Identity Engine to retrieve user and group
information for Prisma Access.
Prisma Access retrieves user and group information
from your organization’s cloud directory or Active Directory (AD),
to enforce user- and group-based policy. Optionally, Prisma Access retrieves
user behavior-based risk signals from some cloud directory vendors,
such as Azure Active Directory, to enforce automated security actions.
You can simplify the retrieval of user and group information by
using the
Cloud Identity Engine.
In
addition to simplifying user and group information retrieval, integrating
the Cloud Identity Engine with Prisma Access can free up the bandwidth
and load on your cloud directory or AD.
You can use the Cloud
Identity Engine to retrieve user and group information for Prisma
Access for mobile users, remote networks, or both, by completing
the following steps.
The Cloud Identity Engine integration
with Prisma Access has the following implementation restrictions:
Make sure that the groups you use with Cloud Identity Engine
do not have any of the following special characters, because Prisma
Access does not support the use of following special characters
in groups and commit operations will fail:
" (Double
quotes)
' (Apostrophe)
< (less than sign)
> (greater than sign)
& (ampersand)
If you associate Cloud Identity Engine with Prisma Access,
your user names must use the NetBIOS format that includes the domain.
You can specify usernames in email format (username@domain), NetBIOS\sAMAccountName format,
or User Principal Name (UPN) format (username@domain.com).
Enter group names in the distinguishedName format
(for example, CN=Users,CN=Builtin,DC=Example,DC=com).
Cloud Identity Engine does not apply any settings you specify
in the
group include list ();
instead, it retrieves user and group information from your entire
configuration, including groups used in all device groups and templates.