Palo Alto Networks User Management Guide

• Model type: hybrid
• Description: Palo Alto Networks uses a hybrid model combining predefined system roles (Super User, Instance Admin, Read-Only) with custom role creation available in the hub portal. Roles can be scoped at the tenant level or per product instance. Individual product consoles (e.g., Cortex XDR, Prisma Cloud) have their own internal RBAC systems with additional granularity.
• Custom roles: Yes
• Custom roles plan: Available on Enterprise-tier subscriptions; custom role creation in hub requires Super User access.
• Granularity: Tenant-level and per-product-instance scoping. Within individual products (e.g., Prisma Cloud, Cortex XDR), granularity extends to resource groups, account groups, and feature-level permissions.

1. Sign in to hub.paloaltonetworks.com with a Super User or Instance Admin account.
2. Navigate to Settings → Identity & Access → Users.
3. Click 'Invite User' or 'Add User'.
4. Enter the user's email address.
5. Select the appropriate role (Super User, Instance Admin, Read-Only, or a custom role).
6. If assigning an Instance Admin role, select the specific product instance(s) to scope the access.
7. Click 'Send Invitation'. The user receives an email invitation to activate their account.
8. User must accept the invitation and set up their Palo Alto Networks account (or link an existing one) before access is granted.

Required fields: Email address, Role assignment, Product instance scope (required for Instance Admin role)

Watch out for:

• Users must have or create a Palo Alto Networks account (hub login) to accept the invitation. SSO can be configured to streamline this.
• Invitation links expire; if a user does not accept within the expiry window, the invitation must be resent.
• Adding a named user to a product (e.g., Prisma Access) consumes a licensed seat. Ensure sufficient license capacity before adding users.
• For products with their own admin consoles (Cortex XDR, Prisma Cloud), users may need to be added separately within that product's console in addition to the hub portal.
• SCIM provisioning (automated) requires Cloud Identity Engine and an Enterprise subscription with SSO configured.

• Can delete users: Yes
• Delete/deactivate behavior: Users can be deleted from the hub portal. Deletion removes the user's access to all associated product instances and the hub. Some products may retain audit log entries and historical data associated with the deleted user's account for compliance purposes. There is no documented 'deactivate/suspend' state in the hub portal; removal is a deletion action.

1. Sign in to hub.paloaltonetworks.com with a Super User account.
2. Navigate to Settings → Identity & Access → Users.
3. Locate the user to be removed using search or the user list.
4. Select the user and click 'Remove' or 'Delete User'.
5. Confirm the deletion in the confirmation dialog.
6. If the user was provisioned via SCIM/IDP, deprovision the user in the IDP to prevent re-provisioning on the next sync.

Watch out for:

• If the user was the sole Super User on the account, deletion is blocked. Assign another Super User first.
• Users provisioned via SCIM will be re-provisioned on the next IDP sync if not also deprovisioned in the IDP.
• Deleting a user from the hub portal does not automatically remove them from individual product consoles (e.g., Cortex XDR, Prisma Cloud) if they were added directly within those consoles. Each product console must be checked separately.
• API keys and tokens associated with the deleted user become invalid immediately upon deletion, which can break automated integrations.

• Where to check usage: hub.paloaltonetworks.com → Licensing → License Management (shows active licenses, seat counts, and expiry dates per product)
• How to identify unused seats: In hub.paloaltonetworks.com under Licensing, admins can view total licensed seats versus assigned/active users per product. For Prisma Access, the product console shows connected user counts. Users who have never logged in or have not connected within a defined period can be identified via product-specific activity reports (e.g., Prisma Access monitoring dashboards).
• Billing notes: Palo Alto Networks uses subscription-based licensing. Licenses are sold in fixed user-count tiers; exceeding the tier requires purchasing the next tier up, not individual seat additions. Multi-year contracts offer discounts. Licenses are managed through the hub portal and the Palo Alto Networks Customer Support Portal. Renewals and upgrades must go through a Palo Alto Networks sales representative or authorized reseller.

Manual provisioning requires navigating to Settings → Identity & Access → Users in hub.paloaltonetworks.com, inviting users one at a time by email, and then scoping each user to the correct product instance.

There is no native CSV bulk import in the hub portal; bulk provisioning requires SCIM integration, which is gated behind Enterprise licensing and Cloud Identity Engine setup.

Offboarding carries compounding risk. Deleting a user from the hub does not automatically remove them from individual product consoles added directly within those consoles. Admins must audit Cortex XDR, Prisma Cloud, and any other product separately after every hub-level deletion.

Named-user license counts are enforced at fixed tier boundaries. Adding users near a tier ceiling - for example, approaching 500 on a 500-seat Prisma Access license - requires purchasing the next full tier up, with no per-seat add-on option.

Practitioners consistently flag the hub-versus-product-console split as the sharpest operational pain point: a user can appear correctly provisioned in the hub while lacking the role needed to function inside a specific product. This gap surfaces most often during onboarding audits and access reviews.

Invitation management is a secondary friction point. Invitation emails expire with no bulk resend option, and spam filtering frequently delays delivery - both issues require manual admin intervention per affected user.

SCIM setup complexity is a recurring theme. Configuring Cloud Identity Engine is reported as non-trivial without detailed documentation review or professional services engagement, which raises the effective cost of automating provisioning.

Common complaints:

• Users report that removing a user from hub.paloaltonetworks.com does not automatically remove them from individual product consoles (e.g., Cortex XDR, Prisma Cloud), requiring manual cleanup in each product separately.
• Admins note that SCIM provisioning requires Cloud Identity Engine setup, which adds complexity and is not straightforward to configure without professional services or detailed documentation review.
• Community members report confusion around the distinction between hub portal roles and product-specific roles, as a user can appear to have access in the hub but lack the correct role within a specific product console.
• Users report that invitation emails sometimes land in spam or expire before the recipient acts, requiring admins to manually resend invitations with no bulk resend option.
• Licensing tier jumps (e.g., from 500 to 1000 named users) are reported as cost-inefficient for organizations near a tier boundary, as there is no per-seat add-on option.
• Admins note that there is no native CSV bulk import for users in the hub portal; bulk provisioning requires SCIM/IDP integration, which is gated behind Enterprise licensing.

Manual management is viable for small, stable teams where every app in the environment maps to a single Palo Alto Networks product and admin overhead is low.

It becomes unsustainable as headcount grows or as the organization runs multiple products (Prisma Access, Cortex XDR, Prisma Cloud simultaneously), because each product console requires independent user lifecycle management.

SCIM via Cloud Identity Engine is the right path for organizations that need reliable, auditable provisioning at scale - but it requires Enterprise licensing, SSO already in place, and deliberate setup effort. Organizations not yet on Enterprise tier should factor that prerequisite into their planning timeline.

Custom roles are available on Enterprise subscriptions and support tenant-level and per-product-instance scoping. For organizations with complex access segmentation needs across multiple product instances, the role model is sufficiently granular - but only if the hub and each product console are managed in coordination.

Bottom line

Palo Alto Networks user management is functional for small teams operating a single product but grows operationally expensive as the product footprint expands.

The hub portal and individual product consoles maintain separate user stores, meaning every app requires its own access review and offboarding step - there is no single deletion that propagates everywhere.

Automated provisioning via SCIM resolves the scale problem but requires Enterprise licensing, Cloud Identity Engine, and SSO as hard prerequisites. Teams evaluating this path should treat the SCIM setup effort as a meaningful implementation project, not a configuration toggle.