Prisma Cloud Compute: Setting Role Based Access to Scan On-Prem Registries

• Customers want to segregate registry scan output by user role with less than full admin rights.
• They then create different access control roles, assigned to different account groups. 
• The registry they are scanning is on-prem and not in the public cloud.

• Prisma Cloud
  • Cloud Account Group
  • Roles

Ask:

1. Userr has AWS cloud account, but also maintains a registry (often a JFrog Artifactory) on their own premises.
2. They want to segregate scan results for that artifactory to be viewed by a user role with less than full admin rights.

1. If the role is not specified to "access on-prem or other cloud providers" or

2. If the AWS account ID is not specified as a non-onboarded account ID

Result:  The scan results for on-prem registries will be empty.

1. Ensure that the AWS Account ID which has access to the AWS Cloud Account is specified as a Non-Onboarded Account ID when creating the Account Group used for the User Role (Settings > Account Groups > Add). 



2. That Account Group is then specified when creating the Role that will be used to access the scan results. (Settings > Access Control > Roles > Add). 

3. In addition, the On-prem / Other cloud providers check box under Advanced Options must be selected.  The information link for that field details that "This permission allows access to view data coming from hosts deployed in clouds other than AWS, GCP and Azure," which is exactly what is needed for on-prem account discovery.

Registry scans still have to be configured in accordance with documented procedures here.