1. Overview

After creating a user or group, you can assign a role to it. Roles determine the level of access to Prisma Cloud’s data and settings.

Prisma Cloud supports two types of users and groups:

  • Centrally managed users and groups, defined in your organization’s directory service. With directory services such as Active Directory, OpenLDAP, and SAML providers, you can re-use the identities set up in these systems.

  • Prisma Cloud users and groups, created and managed from Console. For centrally managed users groups, roles can be assigned after you integrate your directory service with Prisma Cloud. Roles can be assigned to individual users or to groups. When you assign a role to a group, all members of the group inherit the role. Managing role assignments at the group level is considered a best practice. Groups provide an easier way to manage a large user base, and simpler foundation for building your access control policies.

For Prisma Cloud users and groups, roles are assigned at the user level when the user is created. When you create a Prisma Cloud group, you add Prisma Cloud users to it. Users in this type of group always retain the role they were assigned when they were created.

2. Assigning roles to Prisma Cloud users

If you do not have a directory service, such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), Prisma Cloud lets you create and manage your own users and groups. When you create a Prisma Cloud user, you can assign it a role, which determines its level of access.

To create a user and assign it a role:

  1. Open Console, and log in with your admin credentials.

  2. Go to Manage > Authentication > Users.

  3. Click Add user.

    1. Enter a username.

    2. Enter a password.

    3. Assign a role.

    4. Click Save.

3. Assigning roles to Prisma Cloud groups

Collecting users into groups makes it easier to manage your access control rules.

Each user in the group retains his own role to prevent erroneous privilege escalation.

To create a Prisma Cloud group and add users to it:

  1. Open Console and log in with your admin credentials.

  2. Go to Manage > Authentication > Groups.

  3. Click Add group.

    1. Enter a name for your group.

    2. In the drop down list, select a user.

    3. Click +.

    4. Repeat steps b to c until your group contains all the members you want.

    5. Click *Save:

4. Assigning roles to AD/OpenLDAP/SAML users

By default, AD/OpenLDAP/SAML users have the very basic Access User role. You can grant users a different level of access to Console by assigning them roles.

If a user is a part of an AD, OpenLDAP, or SAML group, and you have assigned a role to the group, the user inherits the group’s role.

Prerequisites: You have integrated Prisma Cloud with Active Directory, OpenLDAP, or SAML.

  1. Open Console.

  2. Log in with your admin credentials.

  3. Go to Manage > Authentication > Users.

  4. Click Add user.

    1. Enter the username for the user whose role you want to set. For example, if you have integrated Prisma Cloud with Active Directory, enter a UPN.

    2. In the Role drop-down menu, select a role.

    3. Click Save.

5. Assigning roles to AD/OpenLDAP/SAML groups

You can assign an AD/OpenLDAP/SAML group a role. Members of the group inherit the group’s role. When a user from a group tries to access a resource protected by Prisma Cloud, Prisma Cloud resolves the member’s role on the fly.

If a user is assigned multiple roles, either directly or through group inheritance, then he is granted the rights of the highest role. For example, assume Bruce is part of GroupA and GroupB in Active Directory. In Console, you assign the Administrator role to GroupA and the Auditor role to GroupB. When Bruce logs into Prisma Cloud, he will have Administrator rights.

The following procedure shows you how to assign a role to an existing AD/OpenLDAP/SAML group:

Prerequisites: You have integrated Prisma Cloud with Active Directory, OpenLDAP, or SAML.

  1. Open Console, and log in with your admin credentials.

  2. Go to Manage > Authentication > Groups.

  3. Click Add group.

    1. Specify the name of the group. It should match the group name specified in your directory service.

    2. Check LDAP group.

    3. Select a role.

    4. Click Save.