1. Overview

In Prisma Cloud Enterprise Edition, you can assign roles to users to control their level of access to Prisma Cloud. Roles determine what a user can do and see in Prisma Cloud UI, and the APIs he or she can access. These roles are mapped to Compute according to the table below.

2. Prisma Cloud Roles to Compute Roles mapping

To create roles, go to Settings >. The following table summarizes the roles available in Prisma Cloud and their mapping to Compute Console.

Prisma Cloud Role Compute Role Access level Typical uses case(s)

System Admin (supports Compute-only check)


Full read-write access to all Prisma Cloud settings and data.

Security administrators.

Account & Cloud Provisioning Admin (supports Compute-only check)


Read-only access to all Prisma Cloud Compute rules and data.

Auditors and compliance staff that need to verify settings and monitor compliance.

Cloud Provisioning Admin

Defender Manager

Read-only access to all Compute rules and data. Can install and uninstall Defenders.

DevOps and sysadmins for the nodes that Prisma Cloud protects.

Account Group Admin (supports Compute-only check)


Read-only access to all Prisma Cloud Compute rules and data.

Auditors and compliance staff that need to verify settings and monitor compliance.

Account Group Read Only (supports Compute-only check)

DevSecOps User

Read-only access to all results under Radar and Monitor, but no access to view or change policy or settings.

DevSecOps personnel.

Build and Deploy Security

DevOps User

Read-only access to the Prisma Cloud CI vulnerability and compliance scan reports only.

Developer, Operations, and DevOps personnel that need to know about and/or address the vulnerabilities in your environment.

Build and Deploy Security ("Only Access Key" selection)

CI User

Run the Continuous Integration plugins, IaC scans, IDE plugins only.

CI Users can only run the plugin and have no other access to configure Prisma Cloud.

Only for Compute Capabilities checkbox This checkbox is available for Admin and Read-Only user roles - Auditor and DevSecOps. When assigned, users will be given access to only the Compute tab and Access keys tab in the Prisma Cloud platform. All other tabs, such as Policy, Asset Inventory, etc, will be hidden from view.

On-prem/Other cloud providers You can assign read only roles to view data from Defenders that are deployed on hosts outside of supported cloud providers for Cloud Account discovery in Compute (i.e AWS, Azure, GCP, Alibaba). e.g. OpenShift on VMware vSphere inside private datacenter. Other clouds (e.g. Oracle, IBM, etc)

Users with read-only permission to Compute Console only see data from cloud accounts they have access to (in Prisma). For example, read-only user John who is assigned access to onboarded accounts from AWS in Prisma Cloud but no access to accounts from GCP and Azure. When John selects the Compute tab, he can only view data coming from Defenders in the assigned AWS account and no other Defenders. Only system admin permission group users can manage/view data coming from all Defenders in Compute. This includes data from cloud accounts that may not be onboarded in Prisma Cloud.

DevOps/CI users only have access to CI/CD scans hence the account filtering mentioned above does not apply to these users.
Only Admin can create collections in Compute. Collections for Read-Only users are visible according to the cloud accounts they are assigned in Prisma Cloud and the subsets of those resources created in manual collections by Admins.

To learn more about Prisma Cloud permission groups and roles, see Create Roles in Prisma Cloud.

To learn more about Compute roles, see User roles.