MSP Account Roles and Permissions
MSP Account Roles and Permissions
| Where Can I Use
This? | What Do I Need? |
|---|
Role-based access
control and authentication is supported for all operations
performed by the MSPs. The MSP tenant, though subservient to the
Prisma SD-WAN tenant, acts as a super-tenant to all the client tenants
under its control.
Typically, MSP accounts are regular user accounts
with additional set of roles, and Single Sign-On (SSO) access through
an enterprise Identity Provider (IdP). A group name within an IdP
system may be mapped to the same name to create a custom role. The
MSP roles and their responsibilities can be classified as:
| MSP Role | Permissions |
|---|
| MSP Root (esp_root) | A single root user who has complete control
over all aspects of the MSP account. A root user is intended to
be a fail-safe, fallback user account and should not be used for
regular day-to-day access, administration, and management. |
| MSP Super (esp_super) | A super administrator with privileges to manage
other user accounts within the provider account. Optionally, this
administrator manages and administers other customer networks. |
| Identity and Access Management (IAM) Administrator (esp_iam_admin) | An IAM administrator with privileges to manage
other user accounts within the MSP account. |
| ESP Machine Admin (esp_machine_admin) | An administrator with privileges to manage
machine (ION device) allocation and deallocation to child tenants. |
| MSP User (esp_user) | A user with privileges to manage and administer
other customer networks after an administrator has assigned the
user to a customer account. |
In a MSP account, you may view, manage, or administer other client
networks and accounts, if:
