Assign an access policy
POST/iam/v1/access_policies
Assign an access policy to a user or a service account. If the
email address supplied to the principal request body field is not
known to the IAM service, a new user account is created to track that
email address within the IAM service. However, a corresponding
SSO user account is not created at that time. Use the
create SSO user
call to create a corresponding SSO user account.
If the principal email address corresponds to a service account,
then the specified role is applied
to that service account. Service account email addresses conform
to the following format:
<service_account_name@<tsg_id>.iam.panServiceAccounts.com
Request
- application/json
Body
required
Specifies the role to be assigned to the principal for the specified resource.
The email address for the user or service account to which you are assigning this access policy.
The PAN Resource Name that identifies the TSG for which you are assigning this access policy. It follows this format:
prn:<TSG_ID>::::
The role that you are using for this access policy. If you are assigning a custom role, then this must be the custom role's ID.
Responses
- 201
Successful response.
- application/json
- Schema
- Example (from schema)
Schema
Access policy's unique identifier.
Email address of the user or service account which is receiving this role.
Resource to which the principal is gaining access. This is a string in the format:
prn:<TSG_ID>::::
Role to assign to the principal.
{
"id": "9d5104a0-1b0e-4f1d-be40-87f7810327e9",
"principal": "user@paloaltonetworks.com",
"resource": "prn:123::::",
"role": "superuser"
}