topic CSP Groups and Roles Assignment question in General Topics

CSP Groups and Roles Assignment question

mtafur — Sat, 06 Jan 2024 03:26:52 GMT

We have two account numbers.

For some reason, AIOps wouldn't activate in the "old" account number where all my firewalls are.

Cortex XDR is on the other "newer" account number. The SE suggested we move everything from the old to the new account number.

Problem is, we have different teams and need to limite some asset access.

So, according to this Support Portal User Role Matrix - Knowledge Base - Palo Alto Networks we came up with this:

- There should be two "general" super users/Domain Admins role for the sake of redundancy.

- Groups are needed as some assets are managed by different teams. There will be a CSP Group per each team.

- Each group should have their own assets assigned.

- Each group should have "group super users" and "group standard users" role. This should allow them to manage their own group and access the support portal for their respective assets only and for Cortex XDR.

- There may be users within the groups with Group Limited or Group BPA roles. These users won't be able to get into Support Portal.

- Some group users need to be able to get into Cortex XDR. Group roles won't allow it so there is a "Cloud Product" role which does allow it. That means, some users will have two roles: Cloud Product + Group Role.

Is this achievable? We have been testing and came up with some issues with Support Portal. Already opened a case with PANW (02845505) about this as I found a post here recommending to open it as PANW will fix it in their backend.

Thanks for any input you may have.

Re: CSP Groups and Roles Assignment question

mtafur — Sat, 06 Jan 2024 03:32:15 GMT

Interestingly, I cannot access with the test account that has Cloud Product + Group Super User to the KB. Same issue. Changed the account to Super user and problem persists.

Hopefully PANW can fix this issue.

Re: CSP Groups and Roles Assignment question

JayGolf — Wed, 10 Jan 2024 18:13:00 GMT

Hi @mtafur ,

Keep us updated on how your case goes. Please let me know if you don't hear anything back on this.

Re: CSP Groups and Roles Assignment question

mtafur — Thu, 11 Jan 2024 00:27:18 GMT

Hi @JayGolf . Case still going. They tried to fix their backend but no joy. It is currently in "Researching" status.

I engaged with my SE as this was his suggestion. I'm a bit worried as this is impacting my timeline for AIOps deployment.

Hopefully they'll fix this week. Whatsmore, I have issues with onboarding devices to AIOps...that's another ticket!