How to Create/Manage a Group

How to Create/Manage a Group

Created On 09/25/18 18:07 PM - Last Modified 04/01/24 18:42 PM


The following user roles can create and manage groups:

  • Account Super Users and Domain Administrators can create groups, add devices/spares/members to the group.
  • Group Super Users can add members to the group and manage the group devices.
  • Group Default Users can view members and manage the group devices.


Create a New Group

  • Click Groups menu.
  • Click Add New Group button.
  • Enter a group name and description (optional).
  • Click pencil to save.
  • The group is added to the Groups table.


Add a Group Device

  • Click Groups menu.
  • Click a group's Devices link.
  • In the Group Devices window, click on the Add Device to Group.
  • In the Add Device to Group window, select the device serial number then click on the Submit button.
  • The device is added to group.

Note: When a hardware device is added to a Group, the serial number will not be visible under Devices tab, it will be visible only under Products tab and in the Group - Devices section. It does not apply to VM serial numbers which even after being added to a Group, will be visible under Products > Software NGFW Devices as well as in the Group it was added to. 

Add a Group Member

  • Click Groups menu.
  • Click group's Members link.
  • Click Add Member button.

  • Enter a user's email address, activation date, expiration date (optional), role, and description (optional).
  • Click Checkmark button to save.
  • NOTE: to add a user to a group - the user must have already User ID in the main Members list . You cannot create a new user within Group. In order to limit user's access to the main account - do the following: 
  • 1. Create  user  membership:  Members>Create new user.
  • 2. Add user to a group.
  • 3.Remove user's membership from the main account: Members>Manage users>Search email and click "Remove".

Important Note for User Management APIs and Group Roles
Palo Alto Networks user management APIs can be used to assign and modify CSP account roles, such as Standard and Limited user roles.  However, these user management APIs cannot be used to assign and manage Group roles, such as Group Standard role, since Group roles will be deprecated in 2025.

See Also

For a full list of other Support Portal User Documents, please click here:

Customer Support Portal User Documents

Additional Information

Users with Super User or Domain Administrator role will be able to see all devices in a Group within the main device list in CSP (regardless of whether the users are added as a member of that group, or not).


If it is not possible to remove a user or edit a users role within a group proceed in opening a Support Case, our Support Team will work with our Operations Team to resolve the issue.

  • Print
  • Copy Link

Choose Language