Support Portal User Role Matrix

Support Portal User Roles	Super User	Standard User	Limited User ++	Emergency Security Contact +	Threat Researcher	AutoFocus Trial Role	Group Super User	Group Standard User	Group Limited User	Group Threat Researcher	Bulk Registration	Cloud Product	Domain Admin	ELA Admin	Credit Admin	APS User	SSO Administrator	Cortex User
Manage Company Account Information	X
Notified When Security Impacting Events Occur	X			X
Create New User	X												x
Manage Members	X**	Read Only	Read Only										x**			Read Only
Manage Assets ****	X	X	X		X	X										X
Manage Groups	X												X
Case Management	X*	X*														X*
Auto Focus Portal (Subscription only)					X	X						X
Licensing API	X
Group Level Access
Create New Group User	X						X						X
Manage Group Members							X	Read Only	Read Only
Manage Group Assets							X	X	X	X
Case Management (Group)							X*	X*
Wildfire Portal	X	X	X				X	X	X	X		X	X	X		X
Threat Vault	X	X	X				X	X	X							X
Applipedia	X	X	X				X	X	X							X
ELA Tokens														X
Initial hub account admin													X
Transfer Software NGFW/CN Tokens *****															X
Management of Software Tokens *****	x	x													x	X
Linked Accounts												x	X
Bulk Registration/History											x
Cloud Services ***	x	x	x		x							X				X
APS Live Community																X
Cortex XDR Gateway ******																		X

+ We recommend every CSP account have at least one member who is assigned role Emergency Security Contact. This person is notified when security impacting events are detected.

++ When a user is assigned Limited Role, the user will not be able to create nor manage support cases.

* All users in the main CSP account and groups with Case Management visibility will be able to view each others cases. Cases are not segmented by group.

** Only a Super User will be able to assign the Domain Admin role. A user must have Domain Admin role in order to delete or edit another user with Domain Admin role.

*** Cloud Product Role: User with Cloud Product only role can log in to XDR. XDR roles can then be assigned to the user.

**** Manage Assets capability enables a user to manage any product in Palo Alto Networks' product portfolio.

***** Credit Admin role enables a user to fully access all Software NGFW/CN Credits features. Super Users can activate credits but cannot transfer tokens between pools.

****** Cortex User role added: When an admin selects this role for a user, the user will appear in the Cortex tenant with the User Type being shown as CSP.

Existing users with Cortex permissions will be migrated for the 2026 Q3 release (GA scheduled for May 3, 2026). Starting with this release, only users tagged with the Cortex User role will be visible in the Gateway.

The SSO Administrator role is solely responsible for administering third-party Identity Providers (IDPs) and is assigned by a Super User.

Support Portal User Roles	Super User + ELA Admin	Super User + Domain Admin	SSO Administrator	Super User + SSO Admin
All Super User Permissions	X	X		X
Administer Account Linkage		X		X
Administer Third-Party IDP			X	X
Administer ELA Grants	X
Administer ELA Tokens	X

We recommend every CSP account have at least one member who is assigned role Emergency Security Contact.  This person is notified when security impacting events are detected, such as insecure product configurations, data breaches, exploited product vulnerabilities.

 

Configured users are required to have one of the following roles.

• Super User
• Standard User
• Limited User

Configuring multiple roles is not required as the Super User Role overwrites the Standard User Role.  

Similar concept applies when configuring Group Accounts. The member on the group account has to have one of the below roles.

• Group Super User
• Group Standard User
• Group Limited User.

Having both Group Super User and Group Standard User is not required as the Group Super User Role overwrites the Group Standard User Role.  

 

All other roles on the Support Portal User Role Matrix are "Add On" roles for a particular product.