List of all Roles
The following are all the roles currently supported by SASE:
| Role | UI Label | Description |
|---|---|---|
| adem_tier_1_support | ADEM Tier 1 Support | Provides read-only access to specific incident remediation workflows for Prisma Access Autonomous Digital Experience Management (ADEM). This role is for use with the Prisma Access app and does not include access to other Prisma Access services, dashboards, or Strata Logging Service logs. Ideal for third-party helpdesk employees, tier 2 and 3 support, or administrators who only need ADEM access. |
| auditor | Auditor | Provides read-only access to functions related to all configurations, including subscriptions and licenses for the selected app. Includes access to view dashboards but cannot download, share, and schedule reports. This role also provides access to view Strata Logging Service logs. Ideal for administrators tasked with examining the system for accuracy. |
| business_admin | Business Administrator | Provides read and write access to all subscription and license management for the selected app. Includes read-only access to other functions, such as access policies, service accounts, and tenant service group operations. No access to dashboards and Strata Logging Service logs. Provides the ability to activate product licenses through email activation link. Ideal for administrators who manage devices, licenses, and subscriptions. |
| data_security_admin | Data Security Administrator | Provides read and write access to all data security and dashboard functions for the selected app. This role also includes access to view Strata Logging Service logs and a small subset of privileges included in the Security Admin role. Ideal for administrators who manage only decryption rule configurations. |
| deployment_admin | Deployment Administrator | Provides read and write access to functions related to deployments and dashboard usage. This role also provides read-only access to other functions. Suitable for users who need to manage and oversee deployment processes while having visibility into other system areas. |
| dlp_incident_admin | DLP Incident Administrator | Provides read and write access to functions related to DLP incident and report management. This role also includes read-only access to other functions, such as data profile, data filtering profile, data pattern, EDM, and OCR settings. |
| dlp_policy_admin | DLP Policy Administrator | Provides read and write access to functions related to DLP policy management, including data profile, data filtering profile, data pattern, EDM and OCR settings. This role enables comprehensive control over data loss prevention policies and configurations. |
| iam_admin | IAM Administrator | Provides read and write access to identity and authentication functions for the selected app. Includes read-only access to logs. No access to dashboards and Strata Logging Service logs. Ideal for administrators who manage users and authentication processes. |
| msp_iam_admin | Multitenant IAM Administrator | Provides read and write access to identity and authentication functions for all tenants in a multitenant hierarchy. This role also includes read-only access for logs. No access to dashboards and Strata Logging Service logs. |
| msp_superuser | Multitenant Superuser | Provides read and write access to manage all dashboards, reports, apps, Strata Logging Service logs, and services within the assigned level of nested hierarchy. Includes all permissions assigned to all roles, including Superuser, and the ability to activate product licenses through email activation link. Assign only to users or service accounts that require unrestricted access across multiple tenants. |
| mt_manage_user | Multitenant Manage User | Provides access to functions related to multitenant management and other common resources. This role enables effective oversight and control across multiple tenant environments. |
| mt_monitor_user | Multitenant Monitor User | Provides access to functions related to multitenant monitoring and other common resources. This role enables comprehensive visibility across multiple tenant environments. |
| network_admin | Network Administrator | Provides read and write access to logs, network policy configurations, and dashboards for the selected app. Includes read-only access to other functions including alerts, license quotas, devices, and tenant service group operations. Ideal for administrators who need to maintain authentication, certificates, and decryption rules. |
| project_admin | Project Admin | Provides read and write access to functions related to Dynamic Privilege Access. This role enables management and oversight of dynamic privilege allocation within the system. |
| project_admin_push | Project Admin Push | Provides access to push operations. |
| seb_access_and_data_admin | PA Browser Access & Data Administrator | Provides read and write access to set and manage access and data policies, define custom/private applications, and handle end user requests related to policies for the Prisma Access Browser. This role also includes read-only permission to inventory aspects (users, devices, extensions) and visibility aspects (dashboards, end user events). |
| seb_customization_admin | PA Browser Customization Administrator | Provides read and write access to set and manage browser customization policies for Prisma Access Browser. This role also includes read-only access to inventory aspects (users, devices, applications, extensions) and visibility aspects (dashboards, end user events). |
| seb_permission_request_admin | PA Browser Permission Request Administrator | Provides read and write access to handle end user requests related to policies for Prisma Access Browser. This role also includes read-only permission to visibility aspects (dashboards, end user events). |
| seb_security_admin | PA Browser Security Administrator | Provides read and write access to set and manage browser security policies for Prisma Access Browser. This role also includes read-only access to inventory aspects (users, devices, applications, extensions) and visibility aspects (dashboards, end user events). |
| seb_security_and_posture_admin | PA Browser Security & Device Posture Administrator | Provides read and write access to set and manage browser security policies, manage device posture groups, and set sign-in rules for Prisma Access Browser. This role also includes read-only access to inventory aspects (users, applications, extensions) and visibility aspects (dashboards, end user events). |
| seb_view_only_analytics_admin | PA Browser View Only Analytics | Provides read-only access to visibility aspects for Prisma Access Browser, including dashboards, detailed end user events, and inventory aspects (users, devices, applications and extensions). |
| security_admin | Security Administrator | Provides read and write access security policy configuration and dashboard functionality. This role also provides read-only access to other functions, including but not limited to alerts, license quotas, devices, and tenant service group operations. Ideal for users responsible for managing and maintaining security policies across the system. |
| soc_admin | SaaS SOC Administrator | Provides the ability to assess incidents and remediate risks in SaaS Security. This role does not include access to SaaS Security API settings or the ability to modify policy rules. |
| soc_analyst | SOC Analyst | Provides read-only access to functions related to logs, reports, events, alerts, and all configuration and write access for dashboard usage. Ideal for users or service accounts that need to view and investigate threats and trends without making changes to the system. |
| sspm_appowner_superuser | SaaS Posture Security Administrator | Provides full SSPM functionality for the SaaS applications that the administrator onboards themselves. This role is designed to provide IT and SaaS administrators complete SSPM read and write access to the SaaS apps they are responsible for. |
| superuser | Superuser | Provides read and write access to all available system-wide functions for the selected app. Includes all permissions assigned to all other roles, including MSP Superuser, granting unrestricted access across the system. Users with this role can activate product licenses through email activation links. Assign only to users or service accounts that require complete, unrestricted access to all system functions and configurations. |
| tier_1_support | Tier 1 Support | Provides read and write access to dashboard functionality and remediation workflows that update network, security, and device configurations for the selected app. This role also provides read-only access for alerts, access policies, configurations, license quotas, devices, tenant service group operations, and Strata Logging Service logs. |
| tier_2_support | Tier 2 Support | Provides read and write access to dashboard functionality and remediation workflows that update network, security, and device configurations for the selected app. This role also provides read-only access for alerts, access policies, configurations, license quotas, devices, tenant service group operations, and Strata Logging Service logs. |
| view_only_admin | View Only Administrator | Provides read-only access to all available system-wide functions for the selected app and logs. Allows users to view dashboards, download, share, and schedule reports, providing comprehensive visibility without the ability to make changes. Ideal for users who need to monitor and analyze system-wide information but should not have permissions to modify configurations or settings. |
| web_security_admin | Web Security Admin | Provides read and write access to manage web security policies and features. |