| Where Can I Use
This? | What Do I Need? |
|---|
- Prisma Access (Managed by Panorama)
For information about managing multiple tenants in Prisma Access (Managed by Strata Cloud Manager), see Prisma
SASE.
| |
To modify RBAC-level access for
tenant-level administrative users in Panorama, you
create a tenant-level
administrative user, use an
Admin Role Profile with
a
Role of
Device Group and Template,
and
Enable,
Disable,
or give
Read Only access to areas of the
Panorama
Web UI. Use this method to manage
access to all Panorama components for tenant-level users, with the
exception of access to the Cloud Services plugin where you manage
Prisma Access.
If you want to restrict a tenant-level user
from configuring the Prisma Access components in Panorama, you cannot
use Admin Roles. To disallow users from configuring Prisma Access-specific
configuration tasks, you must prevent the user from accessing the
Cloud Services plugin, which also prevents them from viewing it. Using
this method, you can create an administrative user for a security
professional who has permissions to make changes to security policies
and push those changes to Panorama, but cannot view or make any
changes to Prisma Access configuration.
You can either
enable or disable access to the Cloud Services plugin for a user,
but you cannot give a user read-only access; if a user has access to
view the Cloud Services plugin, the user can also make configuration
changes to its components, including Prisma Access.
The
following table shows sample tenant-level administrative roles and
the steps you perform to create those roles.
| Sample Tenant-Level Configuration | Configuration Task |
|---|
| Create a networking-focused user who: | Create a tenant-level
administrative user, enabling Save and Commit permissions
in the Admin Role Profile, and disabling
or making Read Only any permissions that
you don’t want the tenant-level administrative user to have. |
Create a security-focused user who:Can
commit to Panorama Cannot view, or make changes to, the Cloud Services plugin Cannot push configuration to Prisma Access (requires the superuser
to push the configuration)
| To prevent a tenant-level administrative user
from viewing or accessing the plugin, remove plugin access for a
tenant-level administrator. For all other Panorama-related permissions,
change the Admin Role permissions for the user. |
Create a hybrid user who:Has read-only access
to the Cloud Services plugin Has read-write access to the security policy Cannot push the configuration to Prisma Access (requires the
superuser to push the configuration)
| This configuration is not possible. You
cannot make the Cloud Services plugin read-only. You can only provide
access to admin users to view it and use it to make configuration
changes, or disallow them from viewing it. |
