Prisma Cloud : RQL in Investigation tab not getting generated for Read-Only User from Alerts Tab

Prisma Cloud : RQL in Investigation tab not getting generated for Read-Only User from Alerts Tab

418
Created On 01/09/23 02:22 AM - Last Modified 07/24/25 17:56 PM


Symptom


  • A Read-Only User Role from Custom Permission Group wants to investigate an Alert.
  • For the same, when the User clicks on Investigate button under the "Actions" section of the mentioned alert, it redirects to the Investigate tab.

GUI Path: Alerts > Alerts Overview 
Screenshot 2023-01-09 at 10.09.57 AM.png
 

  • However, no RQL is generated in the Investigate tab. for this user.

GUI Path: Investigate 
Screenshot 2023-01-09 at 10.12.50 AM.png
 

Environment


  • Prisma Cloud
  • Read-Only User Role created from Custom Permission Group

Cause


  • “Account Group Read Only” has “READ:RQL” permission but when we create the Custom Permission Group, only permission assigned will those selected in the screen.
  • We don’t have an option to select “READ:RQL” role.
  • Once GRBAC is enabled for all RQL modules, all Investigate page permissions will be copied over as is, to custom permission group.
  • However, this use case with custom permission group is not supported as of today.

Resolution


  • This is as per product design.

 

Additional Information


  • This issue is only observed for Read-Only User role created from Custom Permission Group for Network Policies.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kG7kCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail