We have two account numbers.
For some reason, AIOps wouldn't activate in the "old" account number where all my firewalls are.
Cortex XDR is on the other "newer" account number. The SE suggested we move everything from the old to the new account number.
Problem is, we have different teams and need to limite some asset access.
So, according to this Support Portal User Role Matrix - Knowledge Base - Palo Alto Networks we came up with this:
- There should be two "general" super users/Domain Admins role for the sake of redundancy.
- Groups are needed as some assets are managed by different teams. There will be a CSP Group per each team.
- Each group should have their own assets assigned.
- Each group should have "group super users" and "group standard users" role. This should allow them to manage their own group and access the support portal for their respective assets only and for Cortex XDR.
- There may be users within the groups with Group Limited or Group BPA roles. These users won't be able to get into Support Portal.
- Some group users need to be able to get into Cortex XDR. Group roles won't allow it so there is a "Cloud Product" role which does allow it. That means, some users will have two roles: Cloud Product + Group Role.
Is this achievable? We have been testing and came up with some issues with Support Portal. Already opened a case with PANW (02845505) about this as I found a post here recommending to open it as PANW will fix it in their backend.
Thanks for any input you may have.
