>
    Strata Copilot
    Configure an Admin Role Profile
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Firewall Administration
    4. Manage Firewall Administrators
    5. Configure an Admin Role Profile
    Download PDF
    Next-Generation Firewall

    Configure an Admin Role Profile

    Table of Contents

    Configure an Admin Role Profile

    Configure admin role profiles in PAN-OS to define access permissions and administrative privileges for firewall administrators.
    Where Can I Use This?What Do I Need?
    NGFW (Managed by PAN-OS or Panorama)
    • No prerequisites needed
    Admin Role profiles enable you to define granular administrative access privileges to ensure protection for sensitive company information and privacy for end users.
    • Defining Access Levels: Admin Role profiles function as a foundational element of security, allowing you to define specific access levels and permissions for different user types. By creating distinct roles, you can control what administrators can access from full access to read-only access. This ensures that users only have the privileges necessary for their responsibilities.
      Follow the principle of least privilege access to create Admin Role profiles that enable administrators to access only the areas of the management interface that they need to access to perform their jobs and follow Administrative Access Best Practices.
    • Configuring Interface Privileges: Each role is highly customizable and can be configured to manage access across various device interfaces, including the Web UI, REST API, XML API, and Command Line (CLI). This flexibility lets you tailor permissions precisely to your operational needs. For example, you can create a role for a junior administrator with full access to the Web UI but no access to the CLI, or for a monitoring team with only read-only access across all interfaces.
    • Role-Based Management: Once a role is defined, it is assigned to one or more administrator accounts instead of configuring permissions for each individual user.

    Configure an Admin Role Profile (PAN-OS)

    You can create an Admin Role profile, specify that the role applies to Virtual System, and then select Web UI, for example, and choose the part of the configuration that the administrator can control within a virtual system. Click OK to save the Admin Role Profile. Then select DeviceAdministrators, name the role, select Role Based, enter the name of the Admin Role Profile, and select the virtual system that the administrator can control. The MGT interface doesn't give full access to the firewall; access is controlled by the Admin Role.
    If the Admin Role Profile is based on Virtual System, that administrator won't have control over a virtual router. Only a subset of the Network options are available in a Virtual System role, and virtual router isn't one of the included options. If you want virtual router available in an Admin Role Profile, the role must be Device, not Virtual System. (You can define a superuser Administrator to have both Virtual System and Virtual Router access.)
    You can create a second Admin Role Profile, specify that the role applies to Device, and then select portions under Network, such as Virtual Routers. Name the Admin Role Profile, and then apply it to a different administrator.
    You might have different departments that have different functions. Based on the login, the administrator gets the right to control the objects enabled in the Admin Role Profile.
    In summary, you can't define a Virtual System Admin Role profile that includes routing (Virtual Router). You can create two accounts to have these separate roles and assign them to two different users. An Administrator account can have only one Admin Role profile.
    The MGT interface can have role-based access; it doesn't strictly provide full access to the device. The login account (Admin Role) is what gives a user rights or limited access to the objects, not the MGT interface.
    1. Select DeviceAdmin Roles and click Add.
    2. Enter a Name to identify the role.
    3. For the scope of the Role, select Device or Virtual System.
    4. In the Web UI and REST API tabs, click the icon for each functional area to toggle it to the desired setting: Enable, Read Only or Disable. For the XML API tab select, Enable or Disable. For details on the Web UI options, see Web Interface Access Privileges.
    5. Select the Command Line tab and select a CLI access option. The Role scope controls the available options:
      • Device role:
        • None—CLI access is not permitted (default).
        • superuser—Full access. Can define new administrator accounts and virtual systems. Only a superuser can create administrator users with superuser privileges.
        • superreader—Full read-only access.
        • deviceadmin—Full access to all settings except defining new accounts or virtual systems.
        • devicereader—Read-only access to all settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
      • Virtual System role:
        • None—Access is not permitted (default).
        • vsysadmin—Access to specific virtual systems to create and manage specific aspects of virtual systems. Does not enable access to firewall-level or network-level functions including static and dynamic routing, interface IP addresses, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DCHP, DNS Proxy, QoS, LLDP, or network profiles.
        • vsysreader—Read-only access to specific virtual systems to specific aspects of virtual systems. Does not enable access to firewall-level or network-level functions including static and dynamic routing, interface IP addresses, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DCHP, DNS Proxy, QoS, LLDP, or network profiles.
    6. Click OK to save the profile.
    7. Assign the role to an administrator. See Configure a Firewall Administrator Account.

    © 2025 Palo Alto Networks, Inc. All rights reserved.