Roles and user groups
When you copy Roles and User Groups in the Upgrade Helper, the Prisma Cloud Custom Permission Groups and Roles are copied to Cortex Cloud as corresponding roles and user groups.
Assign roles and user groups
Users created through the customer support portal are assigned to the relevant user groups. If your organization uses single sign-on (SSO) for authentication, user roles and groups won't be assigned based on Prisma Cloud mappings. In this case, you will need to handle role assignment by SAML group mapping. Learn more about authenticating users.
Verify copied roles and user groups
After you follow the steps listed in Copy configurations, navigate to → → to view the copied items.
Note
Keep the following caveats in mind:
Scope-Based Access Control (SBAC) configurations, such as resources or account lists are not copied. You can manually assign scope-based access to the relevant users or groups.
When migrating permission groups and roles, the total count of items successfully copied may be lower than the initial number selected. This is expected behavior. The discrepancy in counts can occur for the following reasons:
Default Entities: System-default items that are already mapped in the Cortex environment are automatically excluded from the operation, as migration is not required. The initial total count shown for processing will reflect this exclusion.
Validation Failures: Entities that fail validation checks, such as those with duplicate names, will be skipped and not copied.
Empty Mappings: Items that result in an empty configuration after the permission mapping process (e.g., a group that contains no valid permissions in the target system) will be skipped, as no corresponding entity can be created.
Reference the migration logs for specific details on any skipped entities.