Control Role-Based Access for Tenant-Level Administrative Users
Focus
Focus

Control Role-Based Access for Tenant-Level Administrative Users

Table of Contents

Control Role-Based Access for Tenant-Level Administrative Users

If you manage a multitenant deployment, you can use role-based access control (RBAC) to create tenant-level administrative users.
To modify RBAC-level access for tenant-level administrative users in Panorama, you create a tenant-level administrative user, use an Admin Role Profile with a Role of Device Group and Template, and Enable, Disable, or give Read Only access to areas of the Panorama Web UI. Use this method to manage access to all Panorama components for tenant-level users, with the exception of access to the Cloud Services plugin where you manage Prisma Access.
If you want to restrict a tenant-level user from configuring the Prisma Access components in Panorama, you cannot use Admin Roles. To disallow users from configuring Prisma Access-specific configuration tasks, you must prevent the user from accessing the Cloud Services plugin, which also prevents them from viewing it. Using this method, you can create an administrative user for a security professional who has permissions to make changes to security policies and push those changes to Panorama, but cannot view or make any changes to Prisma Access configuration.
You can either enable or disable access to the Cloud Services plugin for a user, but you cannot give a user read-only access; if a user has access to view the Cloud Services plugin, the user can also make configuration changes to its components, including Prisma Access.
The following table shows sample tenant-level administrative roles and the steps you perform to create those roles.
Sample Tenant-Level ConfigurationConfiguration Task
Create a networking-focused user who:
  • Can edit plugin configurations
  • Can commit to Panorama
  • Can push configuration to Prisma Access
Create a tenant-level administrative user, enabling Save and Commit permissions in the Admin Role Profile, and disabling or making Read Only any permissions that you don’t want the tenant-level administrative user to have.
Create a security-focused user who:
  • Can view and make changes to security policies
  • Can commit to Panorama
  • Cannot view, or make changes to, the Cloud Services plugin
  • Cannot push configuration to Prisma Access (requires the superuser to push the configuration)
To prevent a tenant-level administrative user from viewing or accessing the plugin, remove plugin access for a tenant-level administrator. For all other Panorama-related permissions, change the Admin Role permissions for the user.
Create a hybrid user who:
  • Has read-only access to the Cloud Services plugin
  • Has read-write access to the security policy
  • Cannot push the configuration to Prisma Access (requires the superuser to push the configuration)
This configuration is not possible. You cannot make the Cloud Services plugin read-only. You can only provide access to admin users to view it and use it to make configuration changes, or disallow them from viewing it.

Remove Plugin Access for a Tenant-Level Administrative User

In normal multitenant configurations, you use access domains Add Tenants to Prisma Access and associate each access domain with a tenant. To prevent a tenant-level administrative user from viewing or making configuration changes to Prisma Access, you create an access domain, but you do not associate it with a tenant.
Because you associated the access domain to the device groups and template stacks for the tenant, the tenant-level administrative user has RBAC access at the tenant level and is able to perform configuration for that tenant only. Because you did not associate the access domain with a tenant in Prisma Access, the access domain is unable to view the Cloud Services plugin, which provides access to Prisma Access. In this way, you create a user who can perform tenant-level configuration tasks without being able to access, view, or make configuration changes to Prisma Access.
To remove Prisma Access access for an administrative-level user, complete the following task.
This task assumes that you have Add Tenants to Prisma Access templates, template stacks, and device groups for the tenant; you’ll be associating them to the tenant-level administrative user.
  1. Create an administrative role with a type of Device Group and Template.
    1. Select PanoramaAdmin Roles.
    2. Add an Admin Role Profile with a Role of Device Group and Template.
    3. Click OK.
      You can create a single Admin Role Profile and share it across multiple tenants.
  2. Select PanoramaAccess Domain and Add an Access Domain.
  3. Specify the Device Groups and Templates associated with the tenant.
    If you created any device groups that are children or grandchildren of other device groups under the Shared parent device group, select only the device group at the lowest hierarchical level (child or grandchild); do not select the parent or you will have errors on commit.
  4. Create and configure an Administrator for the tenant-level administrative user, specifying the Access Domain you just created.
    1. Select PanoramaAdministrators.
    2. Add an Administrator.
    3. Enter and confirm a Password for the new Administrator.
    4. Specify an Administrator Type of Device Group and Template Admin.
    5. Specify the Access Domain that is associated with the device groups for that tenant.
    6. Specify the Admin Role that you created in Step 1 for the tenant.
      When you complete this example, the abcd-tenant-no-plugin-access Administrative user will have permissions based on what you defined in the Admin Role profile, but will not be able to view or configure the Cloud Services plugin (including Prisma Access). Note, however, that they will not be able to push any changes that they make to the cloud.
  5. Select CommitCommit to Panorama and Commit your changes.