In normal multitenant configurations, you
use access domains
Add Tenants to Prisma Access and associate
each access domain with a tenant. To prevent a tenant-level administrative
user from viewing or making configuration changes to Prisma Access,
you create an access domain, but you do not associate it with a
tenant.
Because you associated the access domain to the device
groups and template stacks for the tenant, the tenant-level administrative
user has RBAC access at the tenant level and is able to perform
configuration for that tenant only. Because you did not associate
the access domain with a tenant in Prisma Access, the access domain
is unable to view the Cloud Services plugin, which provides access
to Prisma Access. In this way, you create a user who can perform
tenant-level configuration tasks without being able to access, view,
or make configuration changes to Prisma Access.
To remove
Prisma Access access for an administrative-level user, complete
the following task.
This task assumes that you have
Add Tenants to Prisma Access templates,
template stacks, and device groups for the tenant; you’ll be associating
them to the tenant-level administrative user.