List of all Roles
The following are all the roles currently supported by SASE:
| Role | UI Label | Description |
|---|---|---|
| adem_tier_1_support | ADEM Tier 1 Support | This role provides access to specific incident remediation workflows for Prisma Access ADEM. |
| auditor | Auditor | This role provides read-only access to functions related to all configuration, including subscriptions and licenses. Assign this role to users or service accounts that need to examine the system for accuracy. |
| browser | Browser | This role provides access to only the essential features required by Palo Alto Networks UI Applications. |
| business_admin | Business Administrator | This role provides access to all subscription and license management. This role also provides read-only access to other functions, including but not limited to: access policies, service accounts, and tenant service group operations. |
| data_security_admin | Data Security Administrator | This role provides access to all data security functions. In addition, it provides read-only access to logs. This role contains a very small subset of privileges compared to the Security Admin role. |
| deployment_admin | Deployment Administrator | This role provides access to functions related to deployments. In addition, this role provides read-only access to other functions. |
| dlp_incident_admin | DLP Incident Administrator | This role provides access to functions related to dlp incident and report. This role also provides read-only access to other functions, including but not limited to: data profile, data filtering profile, data pattern, EDM and OCR settings. |
| dlp_policy_admin | DLP Policy Administrator | This role provides access to functions related to dlp policy including but not limited to: data profile, data filtering profile, data pattern, EDM and OCR settings. |
| iam_admin | IAM Administrator | This role provides access to identity and authentication functions. In addition, it provides read-only access to logs. Assign this role to users or service accounts that need to manage users or service accounts. |
| msp_iam_admin | Multitenant IAM Administrator | This role provides access to identity and authentication functions for all tenants in a multitenant hierarchy. In addition, it provides read-only access to logs. |
| msp_superuser | Multitenant Superuser | This role provides full read and write access to all functions for all tenants in a multitenant hierarchy. Assign this role only to users or service accounts that need unrestricted access to the MSP portal. |
| mt_manage_user | Multitenant Manage User | This role provides access to functions related to multitenant management and other common resources. |
| mt_monitor_user | Multitenant Monitor User | This role provides access to functions related to multitenant monitoring and other common resources. |
| network_admin | Network Administrator | This role provides access to functions related to network configuration. This role also provides read-only access to other functions, including but not limited to: alerts, license quotas, devices, and tenant service group operations. |
| security_admin | Security Administrator | This role provides access to functions related to security policy configuration. This role also provides read-only access to other functions, including but not limited to: alerts, license quotas, devices, and tenant service group operations. |
| soc_admin | SOC Administrator | This role allows the administrator to assess incidents and remediate risks in SaaS Security. This administrator cannot access SaaS Security API settings or modify policy rules. |
| soc_analyst | SOC Analyst | This role provides read-only access to functions related to logs, reports, events, alerts, and all configuration. Assign this role to users or service accounts that need to view and investigate threats and trends. |
| sspm_appowner_superuser | Posture Security Administrator | This role provides full SSPM functionality but only for the SaaS application(s) that the administrator onboards themselves. It is intended to give IT/SaaS administrators full SSPM read and write access to the SaaS apps they are responsible for. |
| superuser | Superuser | This role provides full read and write access to all the available system-wide functions. It includes all the permissions of all the other roles, including MSP Superuser. Assign this role only to users or service accounts that need unrestricted access. |
| tier_1_support | Tier 1 Support | This role provides access to specific incident remediation workflows that update network, security, SD-WAN, GlobalProtect, and device configuration. This role also provides read-only access to other functions. |
| tier_2_support | Tier 2 Support | This role provides access to specific incident remediation workflows that update network, security, SD-WAN, GlobalProtect, and device configuration. This role also provides read-only access to other functions. |
| view_only_admin | View Only Administrator | Read only access to all functions. |
| web_security_admin | Web Security Admin | This role provides access to functions related to web security for Prisma Access. |