How to configure role based management access for more than 1 sub-tenants from panorama for Prisma access multi-tenant environment.
3869
Created On 07/12/21 04:58 AM - Last Modified 10/25/21 22:45 PM
Objective
Create users with role based admin access to the Panorama where each user can be assigned more than one Prisma Access sub-tenant or Access domains and avoid exposing all the sub-tenants for these users.
Environment
- Prisma Access multi-tenant environment managed by Panorama.
- Panorama version: 9.1.11 or above.
- Cloud services plugin: 2.0.0-h13 or 2.1.0-h4 or above
Procedure
1 : Configure Prisma Access for multi-tenant as per the requirement using the document below and associate unique access domains with each sub-tenant.
Plan your Multi-tenant Deployment
2: Navigate to GUI: Panorama > Access Domain to verify there are unique access domains for each sub-tenants.
3: Navigate to GUI: Panorama > Admin Roles. Add an admin role for each tenant with role type "Device Group and Template" and enable all the components in Web UI.
4: Create an admin user from GUI: Panorama > Administrators and select the Administrator type as "Device Group and Template" and add both the access domains with their respective roles. Here a user named "admin1234" was created to manage 2 sub-tenants. The access domains are Eng_Tenant and Marketing_Tenant respectively and their admin roles First_tenant and second_tenant were created in previous steps. The actual sub-tenant names are not visible in this step.
5: Perform panorama local commit to save the configuration.
6: Now login the panorama using the newly added user. The page loads with only 1 access domain and that is visible in bottom left side of the page.
7: To switch the tenant /access-domain from Eng_Tenant to Marketing_Tenant, click on the Access domain drop down menu and select the second domain. Once the page loads, whole page needs to be refreshed to load the cloud plugin configuration for the second tenant.
8: The page refresh needs to be done each time a user switches the tenant from first to second or vice-versa.
Additional Information
If the panorama is running 9.1.10 or below version, the feature may not work as expected. A hot fix based on 9.1.10 is available for users who cannot wait till 9.1.11 release. Alternatively, they can upgrade to 10.0.6 or above release.
This set-up is also dependent on the plugin version and plugin 2.0.0-h13 or 2.1.0-h4 is required for the tenant switch to work.
If the user does not refresh the panorama browser page after selecting the second access domain, a UI error "Unauthorized request" may be presented to the user. This will be further improved via future cloud plugin releases. Until then, refresh the browser to load the configuration.