Prisma Cloud Application Security: Can you onboard a GitHub Organization with two users?
Question
Prisma Cloud Application Security: Can you onboard a GitHub Organization with two users?
Environment
Prisma Cloud
GitHub
Answer
Yes, it is possible to onboard GitHub organizations with two users that have a separation of duty.
There are two types of workflows you can use when onboarding GitHub to Prisma Cloud:
1 - One user that has sufficient permissions in both Prisma Cloud and GitHub
| Prisma Cloud | GitHub | |
| User 1 | Default System Admin | Organization Owner |
2 - Two users that have divided permissions in both Prisma Cloud and GitHub
| Prisma Cloud | GitHub | |
| User 1 | Default System Admin | Member |
| User 2 | -- | Organization Owner |
When using one user, the onboarding can be completed in one workflow, as described in our documentation - https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security/get-started/connect-code-and-build-providers/code-repositories/add-github
The workflow for using two users is as follows:
Step 1 of 3
User 1 logs into Prisma Cloud and starts the onboarding process by authorizing Prisma Cloud to access GitHub.
They are redirected to the authorization screen , where they select the organization and the repositories they want to onboard. Since User 1 is not an Org Owner on GitHub, they will instead request for the Prisma Cloud app to be authorized.
In this example, I've chosen to onboard only a selected repository. The repos I want to onboard have a "request" label on them, and the ones that are already onboarded will have an "installed" label on them.
Step 2 of 3
Once User 1 requests the installation, User 2 -- as the Org Owner -- will get an email that notifies them of the request.
On GitHub, they approve the installation. They are redirected to the Prisma Cloud public home page.
Step 3 of 3
User 1 then restarts the integration, where they can select the repositories to scan and complete the integration.
Additional Information
If I use a service account and complete the onboarding, does the service account have any other use?
Once the appropriate repositories are onboarded, there is no need for the service account anymore. All scanning is done by the Prisma Cloud DevSecOps app installed on GitHub.
Why is an Org Owner permission level on GitHub necessary?
The person INSTALLING the application needs to be an Organization Owner, as per GitHub's documentation - https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#github-app-managers
If one user is completing the integration, they would need to have Org Owner permissions. If two users are completing the onboarding, then the user approving the installation of the application needs to be an Org Owner. The Prisma Cloud user requesting the installation can have Member permissions on GitHub.
For more information, refer to our documentation - https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security/get-started/connect-code-and-build-providers/code-repositories/add-github
Does the app inherit the permissions from the user integrating the repos/installing the app?
No, the permissions the app needs is listed in the authorization page. The Org Owner grants these permissions to the app.
Can I use two people to onboard repos from other VCSs?
No, the two-person onboarding is only applicable to GitHub. For other VCSs, please have one user that has sufficient permissions in both Prisma Cloud and the VCS complete the integration in one workflow.