Tags and identity


Each object in Microsegmentation has a set of key-value pairs that describe its attributes. We call these tags. Tags allow you to identify users and workloads to determine whether they should be allowed to access resources and communicate.

Some examples of tags follow.

  • app=wordpress
  • role=frontend
  • env=qa
  • os=linux
  • $type=docker

Tags are consumed from different sources like the computing environment, the application, or the Microsegmentation Console itself. Other tags can be added manually using the Microsegmentation section of the Prisma Cloud web interface, from the command line with apoctl, or a Microsegmentation Console API call.

Types of tags

Tag names are categorized and prefixed based on their origin.

Prefix Description Example
$ Attribute based tag: auto-generated, based on object attributes. $name=nginx
@ Metadata Tag: can only be added at the creation. @sys:image=nginx
@auth Auth Tag: derived from an auth token claim @auth:account=mycompany
User Defined: defined by a user role=frontend

Tag expressions

You can link tags together with AND or OR operators to form tag expressions.

For example, you can create an expression like:

(size=big and color=blue) or (size=small and color=red) or (type=admin)

Microsegmentation represents this information in a two-dimensional array, where:

  • The first dimension is OR s
  • The second dimension is AND s

The above expression is then represented by:

  ["size=big", "color=blue"],
  ["size=small", "color=red"],

The web interface provides graphical controls to help you build these expressions easily.

Best practices

We recommend resisting the temptation to add a large number of tags. Too many tags can cause confusion.

For example, if you deploy a three-tier application, you may only need:

  • app=myapp
  • role=frontend, role=backend, role=database
  • env=production

In turn, you can create a network policy that will allow:

  • allow from app=myapp and role=frontend and env=production to app=myapp and role=backend and env=production
  • allow from app=myapp and role=backend and env=production to app=myapp and role=database and env=production