Skip to main content

Manage User Accounts

User accounts are used to log into the Strata Cloud Manager user interface so that the user can perform administrative tasks on Strata Cloud Manager. User accounts are not used for API access, but you can perform some limited management of them using the Identity and Access Management APIs.

Two things must be true in order for a user to successfully perform administrative activites Strata Cloud Manager:

  1. The user must have a login account.
  2. The login account must have been assigned one or more access policies that permit access to Strata Cloud Manager.

Note: There is no required order for these events. You can, for example, assign an access policy for the user before a login account is available for that user. An email address is used to tie log in accounts and access policies together. You just have to use the same email address for both requirements to be successful.

Log in accounts

A login account is required in order for the user to authenticate to Strata Cloud Manager. There are different ways for a user to get a login account:

  • If the user creates an account with Palo Alto Networks Customer Support, then a Palo Alto Networks SSO account is automatically created for the user during account creation.

  • You can use the SSO user creation API to create an Palo Alto Networks SSO account for the user.

  • If your enterprise has an third party IDP integration with Palo Alto Networks, then a user account with your identity service provider will serve as a login account for Strata Cloud Manager.

You can check whether a user has a login account using the SSO user verification API.

Access Policies

As described in Assign Roles, you grant a user account access to Strata Cloud Manager by applying an access policy to it. This is required in order for the authenticated user to perform any actions to Strata Cloud Manager.

When you assign an access policy to a user account, you use the email address which identifies that user account. At the time of access policy assignment, the email address need not be associated with a login account. If it is not, internal data structures are created within the Identity and Access Management system to track the email address, but the login account is not actually created. Until it is, the user cannot log into and use Strata Cloud Manager.