A tenant service group (TSG) is used by the Prisma SASE Platform to provide a logical container which contains SASE tenants and other TSGs. It is the building block for a multitenancy hierarchy. Generally, this hierarchy is described as a series of nested tenants, where a tenant is used to manage, monitor, and license SASE products such as Prisma Access. But mechanically, a tenant is just a TSG. The terms are often used interchangeably.
You can examine the TSG hierarchy for your installation:
TSGs serve two purposes:
They are used to identify the scope of an access token.
Access tokens are oAuth 2.0 compliant, which means that you limit their reach by specifying a scope. For the Authentication Service, scope is specified in terms of TSGs. That is, access tokens are limited to just the specified TSG (which the service account must have access to), and the tenants that are children of the TSG.
Create a Tenant Service Group
There are two ways to create a TSG:
By using the Prisma SASE Platform user interface. The first time you create a TSG, you must use the user interface because there's no other way for you to get an access token.
By using the create a tenant service group API. You can only do this if you have created a service account and generated an access token.
Either way, when you create a TSG, a TSG ID is generated. You need this unique ID when you generate service tokens, so make a note of it.
Once you have at least one TSG, you can create a service account.