CSP Groups and Roles Assignment question

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

CSP Groups and Roles Assignment question

L1 Bithead

We have two account numbers.


For some reason, AIOps wouldn't activate in the "old" account number where all my firewalls are.

Cortex XDR is on the other "newer" account number. The SE suggested we move everything from the old to the new account number.

Problem is, we have different teams and need to limite some asset access.


So, according to this Support Portal User Role Matrix - Knowledge Base - Palo Alto Networks we came up with this:

- There should be two "general" super users/Domain Admins role for the sake of redundancy.

- Groups are needed as some assets are managed by different teams. There will be a CSP Group per each team.

Each group should have their own assets assigned.

- Each group should have "group super users" and "group standard users" role. This should allow them to manage their own group and access the support portal for their respective assets only and for Cortex XDR.

- There may be users within the groups with Group Limited or Group BPA roles. These users won't be able to get into Support Portal.

- Some group users need to be able to get into Cortex XDR. Group roles won't allow it so there is a "Cloud Product" role which does allow it. That means, some users will have two roles: Cloud Product + Group Role.


Is this achievable? We have been testing and came up with some issues with Support Portal. Already opened a case with PANW (02845505) about this as I found a post here recommending to open it as PANW will fix it in their backend.



Thanks for any input you may have.



L1 Bithead

Interestingly, I cannot access with the test account that has Cloud Product + Group Super User to the KB. Same issue. Changed the account to Super user and problem persists. 

Hopefully PANW can fix this issue.

Community Team Member

Hi @mtafur ,


Keep us updated on how your case goes. Please let me know if you don't hear anything back on this. 

LIVEcommunity team member
Stay Secure,
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @JayGolf . Case still going. They tried to fix their backend but no joy. It is currently in "Researching" status.

I engaged with my SE as this was his suggestion. I'm a bit worried as this is impacting my timeline for AIOps deployment.

Hopefully they'll fix this week. Whatsmore, I have issues with onboarding devices to AIOps...that's another ticket!

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!