on 04-05-201901:49 PM - last edited on 04-16-201911:33 AM by ploera
Read about the changes to Traps role and access controls. These changes that have been implemented on how and where you create, define, and manage roles. Learn what's new, what's changing, and how it will affect your visibility with roles. Got Questions? Get Answers on Live Community.
Please be aware that changes on where and how you create, define, and manage Traps roles have changed.
Currently, roles and access rights are managed from both the Customer Support Portal (CSP) and the Traps management service interface. Beginning in April, these options will be moved to a central location on Cortex hub. This enhancement will simplify how administrators apply role-based access control for apps and services, and it will allow us to easily scale RBAC to future Cortex offerings.
Additional technical documentation will be available when the feature is released, but please ensure that your Traps administrators are aware of this important change, as soon as possible.
Once this feature is launched, service roles from the CSP and the roles from Traps management service will no longer be available, and the Permissions tab within Traps management service will be removed. Instead, administrators will go to the new Cortex hub Role Assignment page to perform role management.
Furthermore, Traps management service offers the ability to assign granular roles (i.e., Traps specific roles) via the Traps management console. As part of this launch, those roles will move over and be made available via the Cortex hub.
NOTE: All previously defined Traps granular roles and permissions will be migrated to the new Role Assignment page and will be available on there.
With the new RBAC, there are also three new roles that provide super-user privileges that vary in scope. The first person in the organization to register with Palo Alto Networks Customer Support Portal is the Account Administrator. The Account Administrator role gives the user full access to all instances of all apps activated for your organization. Users assigned as Super Admin from the Customer Support Portal prior to April 2019 are automatically assigned the Account Administrator role in Cortex hub.
If you are the Account Administrator, you can give another user the Account Administrator role. Users with this role can grant other users the App Administrator role, which allows users to activate, deactivate, and manage individual app instances.
To limit a user’s access to a specific instance, you can assign users the Instance Administrator role, which enables the user to access only the app instance for which the role is assigned. Users that are assigned any of these roles can also grant more granular roles for Traps management service. By default, all new users are assigned No Role.
To ensure a smooth transition, we want to ensure that you are aware of these changes to Traps management service, Cortex hub, and Customer Support Portal.
Palo Alto Networks Application Framework properties changed names in February 2019. The remainder of this topic will use the new product names identified in the following table:
Role Management Changes
Prior to March 2019, you managed all roles in the Customer Support Portal. Now, you manage roles specific to Cortex apps and other properties in the Cortex hub. All other role management remains in the Customer Support Portal. Where you previously had a role that was specific to an app (e.g., the Magnifier role), you now have a single role (Instance Administrator) that is granted to a user for a specific app. If no other roles are available for an app, then this is the only available role.
Some apps, such as Traps, implement a constellation of roles that you can grant to a user. These roles are managed in the Cortex hub, but you should refer to the product documentation for the app in order to obtain details on these custom roles. When Palo Alto Networks migrated role management from the Customer Support Portal roles to the Cortex hub, existing users received the following roles:
If you are starting or in the process of a Proof of Concept, please ensure any other administrators are aware of the changes. If you are actively using Traps management service, please make sure you are familiar with the changes to avoid any disruption or confusion with the changes. Traps documentation will be updated when the feature is pushed live.