PAN-OS CLI Quick Start
  • PAN-OS CLI Quick Start
  • All PAN-OS Documentation
  • All Documentation
PAN-OS CLI Quick Start
: Administrative Privileges
Focus
Download PDF
Focus
  1. Home
  2. PAN-OS
  3. PAN-OS CLI Quick Start
  4. Get Started with the CLI
  5. Give Administrators Access to the CLI
  6. Administrative Privileges
Download PDF

PAN-OS CLI Quick Start

Administrative Privileges

Table of Contents
End-of-Life (EoL)

Administrative Privileges

Privilege levels determine which commands an administrator can run as well as what information is viewable. Each administrative role has an associated privilege level. You can use dynamic roles, which are predefined roles that provide default privilege levels. Or, you can create custom firewall administrator roles or Panorama administrator roles and assign one of the following CLI privilege levels to each role:
You must follow the Best Practices for Securing Admin Access to ensure that you are securing access to your management network in a way that will prevent successful attacks.
Privilege Level
Description
superuser
Has full access to the Palo Alto Networks device (firewall or Panorama) and can define new administrator accounts and virtual systems. You must have superuser privileges to create an administrative user with superuser privileges.
superreader
Has complete read-only access to the device.
vsysadmin
Has access to selected virtual systems (vsys) on the firewall to create and manage specific aspects of virtual systems. A virtual system administrator doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
vsysreader
Has read-only access to selected virtual systems on the firewall and specific aspects of virtual systems. A virtual system administrator with read-only access doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
deviceadmin
Has full access to all firewall settings except for defining new accounts or virtual systems.
devicereader
Has read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
panorama-admin
Has full access to Panorama except for the following actions:
  • Create, modify, or delete Panorama or device administrators and roles.
  • Export, validate, revert, save, load, or import a configuration.
  • Schedule configuration exports.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.