Prisma Cloud Compute User Roles

In Prisma Cloud Enterprise Edition, you can assign roles to users to control their level of access to Prisma Cloud. Roles determine what a user can do and see in Prisma Cloud UI, and the APIs he or she can access. These roles are mapped to Compute according to the table below.

Prisma Cloud Roles to Compute Roles mapping

To create roles, go to Settings >. The following table summarizes the roles available in Prisma Cloud and their mapping to Compute Console.

Prisma Cloud Role Compute Role Access level Typical uses case(s)

System Admin


Full read-write access to all Prisma Cloud settings and data.

Security administrators.

System Admin ("Only allow compute access" selection)


Full read-write access to only Prisma Cloud Compute settings and data.

Application security administrators.

Account & Cloud Provisioning Admin


Read-only access to all Prisma Cloud Compute rules and data.

Auditors and compliance staff that need to verify settings and monitor compliance.

Cloud Provisioning Admin

Defender Manager

Read-only access to all Compute rules and data. Can install and uninstall Defenders.

DevOps and sysadmins for the nodes that Prisma Cloud protects.

Account Group Admin


Read-only access to all Prisma Cloud Compute rules and data.

Auditors and compliance staff that need to verify settings and monitor compliance.

Account Group Read Only

DevSecOps User

Read-only access to all results under Radar and Monitor, but no access to view or change policy or settings.

DevSecOps personnel.

Build and Deploy Security

DevOps User

Read-only access to the Prisma Cloud CI vulnerability and compliance scan reports only.

Developer, Operations, and DevOps personnel that need to know about and/or address the vulnerabilities in your environment.

Build and Deploy Security ("Only Access Key" selection)

CI User

Run the Continuous Integration plugins, IaC scans, IDE plugins only.

CI Users can only run the plugin and have no other access to configure Prisma Cloud.

Non-Onboarded Cloud cloud account access You can assign read only roles to view data from Defenders that are deployed on on-prem hosts or clouds outside of supported Compute cloud providers (AWS, Azure, GCP). e.g. OpenShift on VMware vSphere inside private datacenter. Other clouds (e.g. Oracle, IBM, Alibaba)

Users with read-only permission to Compute Console only see data from cloud accounts they have access to (in Prisma). For example, read-only user John who is assigned access to onboarded accounts from AWS in Prisma Cloud but no access to accounts from GCP and Azure. When John selects the Compute tab, he can only view data coming from Defenders in the assigned AWS account and no other Defenders. Only system admin permission group users can manage/view data coming from all Defenders in Compute. This includes data from cloud accounts that may not be onboarded in Prisma Cloud.

DevOps/CI users only have access to CI/CD scans hence the account filtering mentioned above does not apply to these users.
Only Admin can create collections in Compute. Collections for Read-Only users are visible according to the cloud accounts they are assigned in Prisma Cloud and the subsets of those resources created in manual collections by Admins.

To learn more about Prisma Cloud permission groups and roles, see Create Roles in Prisma Cloud.

To learn more about Compute roles, see User roles.