Prisma Cloud : RBAC customer role unable to see all Alert rule Names in "Alert Rule Name" filter on Alerts tab

Prisma Cloud : RBAC customer role unable to see all Alert rule Names in "Alert Rule Name" filter on Alerts tab

741
Created On 04/04/24 09:43 AM - Last Modified 06/12/24 07:02 AM


Symptom


On Prisma Cloud for RBAC custom role user Cloud Security > Alerts > Filters > Alert Rule Name does not list all the alert rules created.

Environment


Prisma Cloud
RBAC users
Alert Rules

Cause


Below example explains the current design.

1. If there are two Account Groups Full-list-accounts and Partial-list-accounts.


2. And there are two Alert Rules Full-Access-Alert-Rule and Partial-Access-Alert-Rule


3. Full-Access-Alert-Rule has targets Full-list-accounts and Partial-list-accounts


4. Partial-Access-Alert-Rule has targets Partial-list-accounts.



5. Role Full-access has Account Groups  Full-list-accounts and Partial-list-accounts


6. Role Partial-Access has Account Group Partial-list-accounts.



7. Even though the accounts in Partial-list-accounts are also part of Full-list-accounts, the Role Partial-Access will not have access to the Alert Rule Full-Access-Alert-Rule. 

8. Only Partial-Access-Alert-Rule will be listed. 



Alerts > Filter "Alert Rule Name" 


9. However, Role Full-access will get both Alert Rules Full-Access-Alert-Rule and Partial-Access-Alert-Rule listed.




10. If Partial-list-accounts is removed from the role Full-access, then the role will loose access to the both the Alerts Rule Names.



11. This is because, the Alert rule has both Partial-list-accounts and Full-list-accounts  as targets and the Role Full-Access only has Full-list-accounts.

12. Once Partial-list-accounts is removed from the Alert rule  Full-Access-Alert-Rule, then Full-Access-Alert-Rule will now be usable in the filter for role Full-Access.


13. If Full-Access Role is configured to have access to both account groups Full-list-accounts and Partial-list-accounts and Full-Access-Alert-Rule has Full-list-accounts and  Partial-Access-Alert-Rule has Partial-list-accounts then Full-Access Role can use both Rules in the filter.

 

Resolution


This is the current design. 
1. The Individual Accounts are not evaluated between the Alert Rule and Role to determine which Alerts Rules can be used by which Roles.
2. The decision is made by account groups. 
3. The Account Groups in Alert Rule Target will have to match either the complete set or a subset of Account Groups assigned to a role. 
4. Only then the Role can use the Alert Rule as filter.
5. Vice Versa is not true. i.e. if the Account Groups assigned to a Role is a Subset of Account Groups in Alert Target, then the Alert rule will not be visible for the Role.

Below Diagrams will help understand the relationship better.

1. Role and Alert Rule are associated with the same set of account groups.


2. Alert rule has lesser accounts than the Role.



3. Role has Lesser accounts than the Alert rule target.

 

Additional Information


To request change in this behaviour, contact the Sales/Account team and raise a Feature Request.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrIrCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail