1. Overview

The Prisma Cloud Console can be accessed via the graphical user interface and the application programming interface (API).

The Prisma Cloud Console supports the following authentication methods:

  • Username / Password

  • Lightweight Directory Access Protocol (LDAP)

  • Security Assertion Markup Language v2.0 (SAML2.0)

  • X.509 smart cards

Prisma Cloud can apply password complexity rules for user accounts created within Prisma Cloud. For the authentication of external identities, Prisma Cloud supports LDAP and SAML 2.0. LDAP authentication supports the OpenLDAP and Active Directory directories. Prisma Cloud Console can be configured as an SAML 2.0 Service Provider. The SAML 2.0 Identity Providers that have been successfully federated with the Prisma Cloud Console are Okta, G Suite, Ping, Shibboleth and Azure Active Directory. Smart card authentication to the Prisma Cloud Console requires configuring Prisma Cloud with the smart card’s chain of trust and matching the smart card’s SubjectAlternativeName’s PrincipalName value to user’s corresponding Prisma Cloud username.

Prisma Cloud supports group based authorization and defines the following roles:

Role Access Level

Administrator

Full read-write access to all Prisma Cloud settings and data

Operator

Read-write access to all rules and data. Read-only access to user and group management and role assignments.

Defender Manager

Read-only access to all rules and data. Can install / uninstall Prisma Cloud Defenders Used for Automating Defender installs via Bearer Token or Basic Auth

Auditor

Read-only access to all Prisma Cloud rules and data.

DevOps User

Read-only access to vulnerability scan data

Access User

Install personal certificates required for access to Defender protected nodes.

CI User

Run the Continuous Integration plugin. No Prisma Cloud Console access.

Group membership can be assigned within the Prisma Cloud Console, as an SAML 2.0 role claim, or LDAP group membership value.