Prisma Cloud Administrator Roles

Prisma Cloud roles define the type of access that an administrative user has.

A user on Prisma Cloud is someone who has been assigned administrative privileges, and a role defines the type of access that the administrator has on the service. When you define a role, you specify the permission group and the account groups or repositories that the administrator can manage or view. Prisma Cloud has the following permission groups built-in for administrators.

System Admin—Full control (read/write permissions) to the service, and they can create, edit, or delete account groups or cloud accounts. Only System administrators have access to all Settings on Prisma Cloud and can view audit logs to analyze actions performed by other users who have been assigned administrative privileges.

If you use the System Admin role with Only for Compute capabilities enabled, the administrator only has full control (read/write permissions) to the Compute tab and APIs on Prisma Cloud, and does not have access to the rest of Prisma Cloud capabilities.
Account Group Admin—Read/write permissions for the cloud accounts and account groups to which they are granted access.

An account group administrator can only view resources deployed within the cloud accounts to which they have access. Resources deployed on other cloud accounts that Prisma Cloud monitors are excluded from the search or investigation results.
Account Group Read Only—Read only permissions to view designated sections of Prisma Cloud. This role does not have permissions to modify any settings.
Account and Cloud Provisioning Admin—Combines the permissions for the Account Group Admin and the Cloud Provisioning Admin to enable an administrator who is responsible for a line of business. With this role, in addition to being able to onboard cloud accounts, the administrator can access the dashboard, manage the security policies, investigate issues, view alerts and compliance details for the designated accounts only.
Cloud Provisioning Admin—Permissions to onboard and manage cloud accounts from Prisma Cloud and the APIs, and the ability to create and manage the account groups. With this role access is limited Settings > Cloud Accounts and Settings > Account Groups on the admin console.
Build and Deploy Security—Restricted permissions to DevOps users who need access to a subset of Compute capabilities and/or API access to run IDE, SCM and CI/CD plugins for Infrastructure as Code and image vulnerabilities scans. For example, the Build and Deploy Security role enables read-only permissions to review vulnerability and compliance scan reports on Compute and to manage and download utilities such as Defender images, plugins and twistcli.

And if you use the Build and Deploy Security role with Access key only enabled, the administrator can create one access key to use the Prisma Cloud Compute APIs.

See Prisma Cloud Compute Roles for more details for the roles and associated permissions.
Developer—Restricted permissions to developers or DevOps users who need access to a subset of Application Security capabilities. With the exception of generating access keys, and viewing and fixing issues in IaC scan results on Application Security, it enables read-only permissions to view/update repository settings to which they have access, and view application security configuration.

Add Administrative Users On Prisma Cloud. You can View permissions associated with each role on "Settings > Roles > +Add New".

You can also create custom Permission Groups to define least-privileged access to Prisma Cloud. This ensures that users only have the limited permissions required to accomplish the tasks aligned with their job responsibilities. For instance, you use custom Permission Groups to allow users to only view and export Prisma Cloud Audit Logs into a third-party system. Learn how to Create Custom Prisma Cloud Roles with granular role based access permissions.