SaaS Security Administrator's Guide
    : Add a Custom Admin Role
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. Data Security
    5. Get Started with Data Security
    6. Manage Data Security Administrators
    7. Add a Custom Admin Role
    Download PDF

    SaaS Security Administrator's Guide

    Add a Custom Admin Role

    Table of Contents

    Add a Custom Admin Role

    Create a custom role to define the privileges needed for a specialized admin role on Data Security.
    If you want to define more granular access privileges than what the predefined roles provide, you can add custom admin roles.
    Custom roles enable you to choose the privileges associated with the role so that you can restrict access to specific pages or actions on Data Security. For example, a threat researcher needs access to download quarantined files, while all other incident handlers should not be allowed to download quarantined files. When you then assign the role to an administrator, that administrator inherits the privileges associated with the role.
    The easiest way to create a custom role is to clone an existing custom role, such as the Limited Admin role, and modify it to enable the access privileges for the interface elements that you want to allow for the administrator.

    Use Custom Admin Roles in Data Security

    Adding custom roles through Data Security does not impact the custom roles you created through SaaS Security Console and vice versa.
    1. Log in to Strata Cloud Manager as a Super User and add custom admin roles through Common Services.
    2. Edit the custom roles as per your requirement available under Next-Generation CASBData Security and Next-Generation CASBSettings.
      • Data Security—Dashboard, Applications, Data Assets, Incidents, Policies, Reports, Users & Activity, and Actions.
      • Settings—Configure, Workflow, Scan & Data, Service Monitoring & License, and Admin Audit logs.
      For each parameter within a category, choose from the following options:
      • No Access—No access to the page.
      • Read— View data on the pages, view and download reports.
      • Write—Quarantine, Restore Quarantine, View Snippets, Send Email, Asset Change Sharing, Download Snippets, create configuration elements such as Policies, Data patterns and signatures in addition to viewing data.
    3. Save your changes.
    4. After creating the custom admin roles, assign it to specific users.
    5. Ensure that you have added your roles to Data Security (under Apps & Services).
      Custom roles are active on the next login.
      After creating custom admin roles, the changes are reflected in the Data Security UI. For example, if you created a custom role with No Access to Data Assets, then Data Assets will not be available in your UI. Further, Data Assets will not be accessible through other sections of the application also. For example, you cannot access Data Assets through the Incidents tab.
      Important Points to Note While Using Custom Admin Roles
      • By default, permissions are inherited by child elements. For example, the permissions you set for Assets (parent element) are inherited by Data Assets (child element). If you want to set custom permissions for child elements which differ from that of their parent elements, ensure that the parent elements have lesser permissions.
      • For Actions, there are only two options available: No Access and Write. If Read is selected, it is the same as No Access.
      • You can create up to 50 custom roles.

    © 2025 Palo Alto Networks, Inc. All rights reserved.