IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Add users

About adding users

To add users, your user account must be in the System Admin permission group.

To allow users not in the System Admin permission group to access Microsegmentation, select the procedure that corresponds to your preferred interface.

Adding users from the web interface

  1. Expand Microsegmentation and navigate to the top-level namespace. For example, /acme.

  2. Select Namespaces, click Authorizations, click the Create Create button, and select Create a New API Authorization Policy.

  3. Type the name of the policy. You could use the name of the user that you are adding. For example, aoperator.

  4. Click Next.

  5. In the Subject field, type @auth:subject=, then type the email address of the user, and press ENTER. For example, @auth:subject=aoperator@acme.com.

  6. Remaining in the Subject field, type @auth:userroletypename=, then type the permission group of the user, and press ENTER. For example, @auth:userroletypename=Account Group Admin.

  7. Remaining in the Subject field, type @auth:realm=pcidentitytoken and press ENTER.

  8. Confirm that all of the Microsegmentation tags are connected by and.

  9. Click Next.

  10. If you wish to require the user to make their requests from a certain IP address or CIDR(s), provide these details. Otherwise, click Next.

  11. Select the Microsegmentation role or roles the user should have.

  12. Click Create.

  13. Have the user verify their access.

Adding users from the command line

  1. Ensure that you have apoctl installed and configured.

  2. Set a USER_EMAIL environment variable containing the email address of the user. An example follows.

    export USER_EMAIL=aoperator@acme.com
    echo $USER_EMAIL
    
  3. Set a USER_NS environment variable containing the Microsegmentation namespace the user should be able to access. The user will be able to access the namespace that you specify as well as all of its children. An example follows.

    export USER_NS=/tenant/cloud/group
    echo $USER_NS
    
  4. Set a ROLE environment variable containing the name of the user’s role. See Microsegmentation user roles below for a list of possibilities.

    export ROLE=namespace.administrator
    echo $ROLE
    
  5. Set a PERMISSION_GROUP environment variable containing the Prisma Cloud permission group of the user.

    export PERMISSION_GROUP="Account Group Admin"
    echo $PERMISSION_GROUP
    
  6. Use the following command to create an API authorization for the user.

    cat <<EOF | apoctl api create apiauthorizationpolicies -n $MICROSEG_NS -f -
    name: aoperator
    authorizedIdentities:
    - '@auth:role=$ROLE'
    authorizedNamespace: $USER_NS
    subject:
    - - '@auth:subject=$USER_EMAIL'
      - '@auth:userroletypename=$PERMISSION_GROUP'
      - '@auth:realm=pcidentitytoken'
    EOF
    

    TIP

    You can optionally require the user to log in from one or more specified subnets by including the authorizedSubnets key, as shown below.

    authorizedSubnets:
    - 100.99.35.0/24
    - 100.98.34.0/24
    

  7. Have the user verify their access.

Microsegmentation user roles

In the following table, we provide the names of the primary Microsegmentation roles and their associated privileges.

apoctl role name Web interface role name Privileges
app.developer Application Developer Create, read, update, and delete permissions on network policies, external networks, and processing units in the namespace
app.viewer Application Viewer Read permissions on network policies, external networks, and processing units
infrastructure.administrator Infrastructure Administrator Read permissions on namespaces; create, read, update, and delete on all other resources in the namespace
infrastructure.viewer Infrastructure Viewer Read permissions on all resources in the namespace
namespace.administrator Namespace Administrator Create, read, update, and delete permissions on all resources in the namespace
namespace.viewer Namespace Viewer Read permissions on all resources in the namespace