1. Overview

In Prisma Cloud Enterprise Edition, you can assign permission groups to user roles to control their level of access to Prisma Cloud. Permission groups determine what a user can do and see in Prisma Cloud UI, and the APIs he or she can access. These permission groups are mapped to Compute according to the table below.

2. Prisma Cloud Permission Group to Compute Role mapping

The following table summarizes the Permission groups available in Prisma Cloud and their mapping to Compute Console.

Prisma Cloud Permission Group Compute Role Access level Typical uses case(s)

System Admin (supports Compute-only check)


Full read-write access to all Prisma Cloud settings and data.

Security administrators.

Account & Cloud Provisioning Admin (supports Compute-only check)


Read-only access to all Prisma Cloud Compute rules and data.

Auditors and compliance staff that need to verify settings and monitor compliance.

Cloud Provisioning Admin

Defender Manager

Install, manage, and remove Defenders from your environment.

DevOps team members that need to manage Defender deployments without sysadmin privileges.

Account Group Admin (supports Compute-only check)


Read-only access to all Prisma Cloud Compute rules and data.

Auditors and compliance staff that need to verify settings and monitor compliance.

Account Group Read Only (supports Compute-only check)

DevSecOps User

Read-only access to all results under Radar and Monitor, but no access to view or change policy or settings.

DevSecOps personnel.

Build and Deploy Security

DevOps User

Read-only access to the Prisma Cloud CI vulnerability and compliance scan reports only.

Developer, Operations, and DevOps personnel that need to know about and/or address the vulnerabilities in your environment.

Build and Deploy Security ("Only Access Key" selection)

CI User

Run the Continuous Integration plugins, IaC scans, IDE plugins only.

CI Users can only run the plugin and have no other access to configure Prisma Cloud.

Only for Compute Capabilities checkbox This checkbox is available for Admin and Read-Only user roles - Auditor and DevSecOps. When assigned, users will be given access to only the Compute tab and Access keys tab in the Prisma Cloud platform. All other tabs, such as Policy, Asset Inventory, etc, will be hidden from view.

On-prem/Other cloud providers You can assign read only roles to view data from Defenders that are deployed on hosts outside of supported cloud providers for Cloud Account discovery in Compute (i.e AWS, Azure, GCP, Alibaba). e.g. OpenShift on VMware vSphere inside private datacenter. Other clouds (e.g. Oracle, IBM, etc)

Users with read-only permission to Compute Console only see data from cloud accounts they have access to (in Prisma). For example, read-only user John who is assigned access to onboarded accounts from AWS in Prisma Cloud but no access to accounts from GCP and Azure. When John selects the Compute tab, he can only view data coming from Defenders in the assigned AWS account and no other Defenders. Only system admin permission group users can manage/view data coming from all Defenders in Compute. This includes data from cloud accounts that may not be onboarded in Prisma Cloud.

DevOps/CI users only have access to CI/CD scans hence the account filtering mentioned above does not apply to these users.
Only Admin can create collections in Compute. Collections for Read-Only users are visible according to the cloud accounts they are assigned in Prisma Cloud and the subsets of those resources created in manual collections by Admins.

You can assign granular compute resources access via Resource Lists. To learn more about Prisma Cloud Roles and assignment, see Assign Roles

To learn more about Compute roles, see User roles.