Create Custom Prisma Cloud Roles

Prisma Cloud Roles allow you to specify a wide range of user permissions, including access at various levels to multiple cloud environments, the ability to apply policies, as well as enable interactions with alerts and reports. Use custom roles to limit access to Prisma Cloud functions to a user’s job responsibilities. When you create a cloud account, you can assign one or more cloud accounts to an account group and then attach the account group to a custom role. Follow the steps below to create a custom role:

Only Prisma Cloud System Administrators can create custom roles.

  1. Log in to Prisma Cloud and navigate to "Settings > Access Control". Select the Permission Groups tab.

  2. On the Permissions Group page you can view a list of default and custom Permission Groups, add, view, clone, and edit new Permission Groups. The figure below displays the custom role options available on the Permission Groups page:

    grbac

    1. View: Select the View icon on the Actions pane, to see permission details for an existing default or custom role group.

    2. Clone: Click the Clone icon to create a new Permission Group with copied pre-populated permissions to duplicate an existing role group.

    3. Edit: View an make edits to permissions for a selected Permission Group

    4. Delete: Click the delete icon to remove a default or custom group.

Add a Custom Permission Group

Click the Add button to create a new Permission Group.

perms groups

  1. On the Details drop-down provide a Name, optional Description and Copy of Existing group details if this is a cloned group. Click Next to proceed.

  2. On the Assign Permissions page select View, Create, Update or Delete capabilities, for each individual function on the Prisma Cloud console, as shown below.

  3. Select Previous to return to the Details page, Save&Close to exit the Permissions Group page or Save&AddRole to create the Permission Group and a new role.

    Updates made to Permission Groups take effect the next time a user that belongs to the group accesses the Prisma Cloud console.

    Keep the following caveats in mind when creating and assigning custom roles:

    • Permissions listed on the Assign Permissions page are not comprehensive and do not map one-to-one with all available feature permissions for an out of the box role. For instance, if you create a custom permission by cloning a System Administrator role, the feature permissions listed on the Assign Permissions page may not include all permissions available in the out of the box System Administrator role, as these feature permissions are not currently enabled for custom roles. Feature permissions displayed on the Assign Permissions page lists all available permissions that can be assigned for any given custom role. Reference the Prisma Cloud Administrator Permissions page for a comprehensive list of default permissions by role.

    • To access Anomaly Trusted Lists, the user must have System Administrator permissions or a custom role that allows them to View or Create Anomaly Trusted Lists.

    • Users assigned a custom role, without the appropriate permissions, may find the following inconsistencies on the Investigate page:

      • A 500 error when running an IAM query.

      • A 200 error when running a Cloud Network Analyzer (CNA) query.

        In both cases the correct response should be 403 to indicate that the action is not permitted.

    Refer to the topics below to learn more about creating and assigning user roles: