1. Overview

You can assign roles to users to control their level of access to Prisma Cloud. Roles determine what a user can do and see in Console, and the APIs he or she can access. Roles are enforced the same way for both the Prisma Cloud UI and API.

Prisma Cloud provides several pre-defined system roles you can assign to users and groups, as well as allows you to create your own customized roles.

2. Summary of system roles

The following table summarizes the system roles available in Prisma Cloud.

Role Access level Typical use case(s)

Administrator

Full read-write access to all Prisma Cloud settings and data.

Security administrators.

Operator

Read-write access to all rules and data.

Read-only access to user and group management, role assignments, and the global settings under Manage > System.

Security operations teams.

Auditor

Read-only access to all Prisma Cloud rules and data.

Auditors and compliance staff that need to verify settings and monitor compliance.

DevSecOps User

Read-only access to all results under Radar and Monitor, but no access to change policy or settings.

Read-only access to Utilities.

DevSecOps personnel.

Vulnerability Manager

Define policy and monitor vulnerabilities and compliance.

DevOps users that also need to define policy and monitor vulnerabilities and compliance.

DevOps User

Read-only access to the Prisma Cloud CI vulnerability, compliance scan reports, and Utilities.

Developer, Operations, and DevOps personnel that need to know about and/or address the vulnerabilities in your environment.

Defender Manager

Install, manage, and remove Defenders from your environment.

DevOps team members that need to manage Defender deployments without sysadmin privileges.

Access User

Basic API routes only

IMPORTANT: Access User role has permissions to some basic API routes only, and no access to the Console UI. This user role will be deprecated in the next release of Prisma Cloud Compute.

Developers (and others) that use the nodes that Prisma Cloud protects.

CI User

Run the Continuous Integration plugin only.

CI Users can only run the plugin and have no other access to configure Prisma Cloud.

Let’s look at how two roles at the opposite end of the spectrum differ: Administrator and User. Administrators set the security policy. They decide who can run what Docker commands, and where they can be run. Users need to run Docker commands to do their job. Testers, for example, run Docker commands in the staging environment to test containers under development. Testers, however, have no business starting containers in the production environment. Administrators set a policy to assign testers the user role that lets testers run Docker commands in staging, but restricts their access to production.

3. System roles

This section describes the system roles Prisma Cloud supports.

3.1. Administrator

The Administrator can manage all aspects of your Prisma Cloud installation. They have full read-write access to all Prisma Cloud settings and data.

Administrators can:

  • Create and update security policies.

  • Create and update access control policies.

  • Create and update the list of users and groups that can access Prisma Cloud.

  • Assign roles to users and groups.

  • The Admin role is reserved for security administrators.

When Administrators log into Console, they have access to the full dashboard. If you click on the profile button on the top right of the dashboard, you get the details of the currently logged in user (admin) and associated role (Administrator).

user roles admin

3.2. Operator

Operators can create and update all Prisma Cloud settings. This role lets you view audit data and manage the rules that define your policies.

Operators cannot:

  • Create, update, or delete users or groups.

  • Assign or reassign roles to any user or group.

  • Change the global settings under Manage > System.

The Operator role is designed for members of your Security Operations team.

3.3. Auditor

Auditors get read-only access to all Prisma Cloud data, settings, and logs.

Auditors are typically members of your compliance team. They verify that your Prisma Cloud setup meets your organization’s security requirements. To verify compliance, they must be able to see your settings, but they do not need to make changes to them.

Auditors have access to the utilities page (Manage > System > Utilities).

3.4. DevSecOps User

DevSecOps Users get access to all views under Radar and Monitor. Access to the Actions menu in these views is disabled. The Actions menu lets you do things such as relearn models, protect services found by Cloud Discovery, and so on.

DevSecOps Users get read only access to vulnerabilities and compliance policies under Defend.

Under Manage, they only get access to Manage > System > Utilities. This page lets you download various Prisma Cloud components. DevSecOps Users can download all files, except Defender images, which are disabled for this role.

3.5. Vulnerability Manager

Vulnerability Managers define and monitor vulnerabilities and compliance policy. Vulnerability Managers gain the following permissions:

  • Read-write access to Defend > Vulnerabilities and Defend > Compliance.

  • Read-write access to Monitor > Vulnerabilities, Monitor > Compliance and Monitor > Events > Trust Audits.

  • Read-only access to Manage > System > Utilities. The Utilities page lets you download various Prisma Cloud components. Vulnerability Managers can download all files, except Defender images, which are disabled for this role.

3.6. DevOps User

DevOps Users get read-only access to the Jenkins Jobs and Twistcli Scans tabs under Monitor > Vulnerabilities and Monitor > Compliance. Each tab contains scan reports for images and serverless functions scanned using these tools. DevOps Users can use Prisma Cloud scan reports and tools, for example, to determine why the CI/CD pipeline is stalled.

DevOps Users get read only access to vulnerabilities and compliance policies under Defend.

Under Manage, they only get access to Manage > System > Utilities. This page lets you download various Prisma Cloud components. DevOps Users can download all files, except Defender images, which are disabled for this role.

3.7. Defender Manager

Defender Managers get read-write access to Manage > Defenders and Manage > System > Utilities.

Defender Managers can install, manage, and remove Defenders from your environment. The Defender Manager role was designed to let members of your DevOps team manage the hosts that Prisma Cloud protects without requiring Administrator-level privileges. To help debug Defender deployment issues, Defender Managers get read-only access to Prisma Cloud settings and log files.

Defender Managers are typically members of your DevOps team. They need to manage the hosts that Prisma Cloud protects, but they never need to alter any security policies.

Defender Managers are also used to automate Defender deployment. If you use twistcli to deploy Defenders in your environment, create a service account with the Defender Manager role for the program that calls twistcli.

This role can see view the secrets that Defenders use to do their job, such as cloud credentials for registry scanning.

3.8. Access User

Access User role has permissions to some basic API routes only, and no access to the Console UI. This user role will be deprecated in the next release of Prisma Cloud Compute.

Users work with Docker containers. They run Docker client commands on the hosts that are protected by the Defender. The commands they run include:

  • Pulling an image from a registry.

  • Starting a container on a host.

  • Stopping a container.

Users are typically members of your engineering team. For example, all members of your test team would be assigned the User role.

3.9. CI User

The CI user role can be assigned to users that should only be able to run the plugin but have no other access to configure Prisma Cloud or view the data that we have. It is designed to only provide the minimal amount of access required to run the plugins.

A CI user cannot log into the Console or even view the UI Dashboard.

4. Custom roles

Prisma Cloud Compute allows you to create customized user roles to fit the needs of your organization. When creating a role, you will be able to select which sections of the product the role will have access to and with what permissions - Read-Only or Read-Write.

The permissions you grant for a role will apply to both the Prisma Cloud UI and API.

Read permission will grant the role with access to all GET APIs for fetching data. Write permission will grant the role with access to all other APIs (POST, PUT, DELETE, etc.) for saving data and performing actions, in addition to all GET APIs.

If a role allows access to policies, users with this role will be able to see all rules and all collections that scope rules under the Defend section, even if the user’s view of the environment is restricted by assigned collections.

4.1. Create custom roles

Create a new custom role under Manage > Authentication > Roles.

  1. In Manage > Authentication > Roles, click Add role.

    You can also use the Clone action on an existing role, which copies its permissions and saves you the need to set them from scratch.

  2. Enter a name and a description for your custom role.

  3. Use the Access to Console UI toggle to configure whether the role will have access to Prisma Cloud UI. Setting the toggle to off means that the role will only have access to the API (according to the permissions granted to it).

  4. Select the role’s permissions under Radars, Defend, Monitor, and Manage. For each permission you can choose granting Read or Write access.

  5. Click Save.

    Changes to role permissions while users are logged into Prisma Cloud Console only apply after users re-login.
    custom roles create role

4.2. Unique permissions

  • Several permissions require other permissions in order to work properly. For example, roles that access policies typically require permissions for collections. These dependencies are highlighted when setting role permissions.

    If a role is missing permissions, the logged-in user will get a suitable message on the relevant page. Components to which he is missing permissions will be hidden or disabled.

    custom roles missing permissions
  • Some pages do not include write actions (e.g. Containers Radar), however you will still have the option to grant write permission to them. This will have no effect on the UI components and API calls the role has access to.

  • Data updates pushed to client browsers permission is required in order to control access to sensitive information used to populate views in the UI. This data flows over the connection from the Console to client browsers and includes new audits, scan progress updates, etc. Granting no access to this permission will cause these updates to not be exposed in the UI until an active refresh of the browser.

5. Assign roles

To learn how to assign roles to users and groups, see Assign roles.