User accounts are used to log into the Prisma SASE Platform user interface so that the user can perform administrative tasks on SASE products. User accounts are not used for API access, but you can perform some limited management of them using the Identity and Access Management APIs.
Two things must be true in order for a user to successfully perform administrative activites to SASE products using the Prisma SASE Platform:
- The user must have a login account.
- The login account must have been assigned one or more access policies that permit access to SASE products.
Note: There is no required order for these events. You can, for example, assign an access policy for the user before a login account is available for that user. An email address is used to tie log in accounts and access policies together. You just have to use the same email address for both requirements to be successful.
Log in accounts
A login account is required in order for the user to authenticate to the Prisma SASE Platform. There are different ways for a user to get a login account:
If the user creates an account with Palo Alto Networks Customer Support, then a Palo Alto Networks SSO account is automatically created for the user during account creation.
You can use the SSO user creation API to create an Palo Alto Networks SSO account for the user.
If your enterprise has an third party IDP integration with Palo Alto Networks, then an user account with your identity service provider will serve as a login account for the Prisma SASE Platform.
You can check whether a user has a login account using the SSO user verification API.
As described in Assign Roles, you grant a user account access to SASE products by applying an access policy to it. This is required in order for the authenticated user to perform any actions to a SASE product.
When you assign an access policy to a user account, you use the email address which identifies that user account. At the time of access policy assignment, the email address need not be associated with a login account. If it is not, internal data structures are created within the Identity and Access Management system to track the email address, but the login account is not actually created. Until it is, the user cannot log into and use SASE products.