MSP Account Roles and Permissions
Table of Contents
Expand all | Collapse all
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Configure Branch HA in a Hybrid Topology with Gen-1 (3000) and Gen-2 (3200) Platforms
- Prisma SD-WAN Incidents and Alerts
MSP Account Roles and Permissions
MSP Account Roles and Permissions
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Role-based access
control and authentication is supported for all operations
performed by the MSPs. The MSP tenant, though subservient to the
Prisma SD-WAN tenant, acts as a super-tenant to all the client tenants
under its control.
Typically, MSP accounts are regular user accounts
with additional set of roles, and Single Sign-On (SSO) access through
an enterprise Identity Provider (IdP). A group name within an IdP
system may be mapped to the same name to create a custom role. The
MSP roles and their responsibilities can be classified as:
| MSP Role | Permissions |
|---|---|
| MSP Root (esp_root) | A single root user who has complete control over all aspects of the MSP account. A root user is intended to be a fail-safe, fallback user account and should not be used for regular day-to-day access, administration, and management. |
| MSP Super (esp_super) | A super administrator with privileges to manage other user accounts within the provider account. Optionally, this administrator manages and administers other customer networks. |
| Identity and Access Management (IAM) Administrator (esp_iam_admin) | An IAM administrator with privileges to manage other user accounts within the MSP account. |
| ESP Machine Admin (esp_machine_admin) | An administrator with privileges to manage machine (ION device) allocation and deallocation to child tenants. |
| MSP User (esp_user) | A user with privileges to manage and administer other customer networks after an administrator has assigned the user to a customer account. |
In a MSP account, you may view, manage, or administer other client
networks and accounts, if:
- The client and the provider authorize the client account for management by the provider. This authorization takes place through Prisma SD-WAN customer support for security and tracking.
- Specific users of a provider account are assigned to manage specific, approved client accounts for that provider. This is handled by the users of a provider account who have super administrator or administrator privileges.