Palo Alto Networks · Capability

Palo Alto Networks Identity and Access Management

Unified identity and access management capability for managing service accounts, access policies, roles, tenant service groups, and subscriptions across SASE IAM, Tenancy, and Subscription APIs.

Run with Naftiko Palo Alto NetworksIdentityAccess ManagementTenancySubscriptionsCloud Identity Engine

What You Can Do

GET

List service accounts — List all service accounts with optional filtering.

/v1/service-accounts

POST

Create service account — Create a new service account.

/v1/service-accounts

GET

Get service account — Get details of a specific service account.

/v1/service-accounts/{account_id}

PUT

Update service account — Update an existing service account.

/v1/service-accounts/{account_id}

DELETE

Delete service account — Delete a service account.

/v1/service-accounts/{account_id}

POST

Generate service account credentials — Generate credentials for a service account.

/v1/service-accounts/{account_id}/keys

DELETE

Revoke service account key — Revoke a specific key for a service account.

/v1/service-accounts/{account_id}/keys/{key_id}

GET

List access policies — List all access policies with optional filtering.

/v1/access-policies

POST

Create access policy — Create a new access policy.

/v1/access-policies

GET

Get access policy — Get details of a specific access policy.

/v1/access-policies/{policy_id}

PUT

Update access policy — Update an existing access policy.

/v1/access-policies/{policy_id}

DELETE

Delete access policy — Delete an access policy.

/v1/access-policies/{policy_id}

GET

List roles — List all available roles.

/v1/roles

GET

List tenant service groups — List all tenant service groups with optional filtering.

/v1/tenant-service-groups

POST

Create tenant service group — Create a new tenant service group.

/v1/tenant-service-groups

GET

Get tenant service group — Get details of a specific tenant service group.

/v1/tenant-service-groups/{tsg_id}

PUT

Update tenant service group — Update an existing tenant service group.

/v1/tenant-service-groups/{tsg_id}

DELETE

Delete tenant service group — Delete a tenant service group.

/v1/tenant-service-groups/{tsg_id}

GET

List child tenant service groups — List child tenant service groups for a given parent.

/v1/tenant-service-groups/{tsg_id}/children

GET

List subscriptions — List all subscriptions for a tenant service group.

/v1/subscriptions

GET

Get subscription — Get details of a specific subscription.

/v1/subscriptions/{subscription_id}

GET

Get subscription entitlements — Get entitlements for a specific subscription.

/v1/subscriptions/{subscription_id}/entitlements

PUT

Allocate licenses — Allocate licenses from a subscription to tenant service groups.

/v1/subscriptions/{subscription_id}/allocation

MCP Tools

list-service-accounts

List all SASE service accounts with optional filtering by TSG.

read-only idempotent

create-service-account

Create a new SASE service account.

get-service-account

Get details of a specific service account by ID.

read-only idempotent

update-service-account

Update an existing service account.

idempotent

delete-service-account

Delete a service account by ID.

idempotent

generate-service-account-credentials

Generate credentials for a service account.

revoke-service-account-key

Revoke a specific key for a service account.

idempotent

list-access-policies

List all access policies with optional filtering.

read-only idempotent

create-access-policy

Create a new access policy.

get-access-policy

Get details of a specific access policy by ID.

read-only idempotent

update-access-policy

Update an existing access policy.

idempotent

delete-access-policy

Delete an access policy by ID.

idempotent

list-roles

List all available SASE roles.

read-only idempotent

list-tenant-service-groups

List all tenant service groups with optional filtering.

read-only idempotent

create-tenant-service-group

Create a new tenant service group.

get-tenant-service-group

Get details of a specific tenant service group.

read-only idempotent

update-tenant-service-group

Update an existing tenant service group.

idempotent

delete-tenant-service-group

Delete a tenant service group.

idempotent

list-child-tenant-service-groups

List child tenant service groups for a given parent.

read-only idempotent

list-subscriptions

List all subscriptions for a tenant service group.

read-only idempotent

get-subscription

Get details of a specific subscription.

read-only idempotent

get-subscription-entitlements

Get entitlements for a specific subscription.

read-only idempotent

allocate-licenses

Allocate licenses from a subscription to tenant service groups.

idempotent

Who This Is For

👤

IAM Administrator

Manages service accounts, roles, and access policies for platform API access.

👤

Tenant Operator

Manages multi-tenant hierarchies and service group configurations for MSSPs.

APIs Used

sase-iam sase-tenancy sase-subscription cloud-identity-engine