Assign Roles
For API access, roles must be applied to a service account. However, you can also apply roles to an ordinary user account. These roles have meaning for users who are logging in through the user interface to configure or monitor SASE products.
Note: Roles can never be in conflict. If an account has a role that grants read or view only access to a resource, and another role grants read-write access, then the more permissive role is applied (read-write).
Regardless of whether you're assigning a role to a service account or a user account, you use the assign an access policy API to assign the role. (Of course, you can also do this using the multitenant user interface.)
If you are assigning a role to service account, then provide the service
account Client ID in this API's principal
field. This is an email address
that looks like this:
my_service_account@1111111111.iam.panserviceaccount.com
If you are assigning a role to a user account, use that user's email
address for the principal
field.
Be aware that if the email address you specify is not currently used for a user or service account, the API call creates a new user account within the SASE system.