Tags and identity
Each object in Microsegmentation has a set of key-value pairs that describe its attributes. We call these tags. Tags allow you to identify users and workloads to determine whether they should be allowed to access resources and communicate.
Some examples of tags follow.
Tags are consumed from different sources like the computing environment, the application, or the Microsegmentation Console itself.
Other tags can be added manually using the Microsegmentation section of the Prisma Cloud web interface, from the command line with
apoctl, or a Microsegmentation Console API call.
Types of tags
Tag names are categorized and prefixed based on their origin.
||Attribute based tag: auto-generated, based on object attributes.||
||Metadata Tag: can only be added at the creation.||
||Auth Tag: derived from an auth token claim||
|User Defined: defined by a user||
You can link tags together with
OR operators to form tag expressions.
For example, you can create an expression like:
(size=big and color=blue) or (size=small and color=red) or (type=admin)
Microsegmentation represents this information in a two-dimensional array, where:
- The first dimension is
- The second dimension is
The above expression is then represented by:
[ ["size=big", "color=blue"], ["size=small", "color=red"], ["type=admin"], ]
The web interface provides graphical controls to help you build these expressions easily.
We recommend resisting the temptation to add a large number of tags. Too many tags can cause confusion.
For example, if you deploy a three-tier application, you may only need:
In turn, you can create a network policy that will allow:
- allow from
app=myapp and role=frontend and env=productionto
app=myapp and role=backend and env=production
- allow from
app=myapp and role=backend and env=productionto
app=myapp and role=database and env=production