>
    Provide Granular Access to the Objects Tab
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Firewall Administration
    4. Reference: Web Interface Administrator Access
    5. Web Interface Access Privileges
    6. Provide Granular Access to the Objects Tab
    Download PDF

    Provide Granular Access to the Objects Tab

    Table of Contents
    End-of-Life (EoL)

    Provide Granular Access to the Objects Tab

    An object is a container that groups specific policy filter values—such as IP addresses, URLs, applications, or services—for simplified rule definition. For example, an address object might contain specific IP address definitions for the web and application servers in your DMZ zone.
    When deciding whether to allow access to the objects tab as a whole, determine whether the administrator will have policy definition responsibilities. If not, the administrator probably does not need access to the tab. If, however, the administrator will need to create policy, you can enable access to the tab and then provide granular access privileges at the node level.
    By enabling access to a specific node, you give the administrator the privilege to view, add, and delete the corresponding object type. Giving read-only access allows the administrator to view the already defined objects, but not create or delete any. Disabling a node prevents the administrator from seeing the node in the web interface.
    Access Level
    Description
    Enable
    Read Only
    Disable
    Addresses
    Specifies whether the administrator can view, add, or delete address objects for use in security policy.
    Yes
    Yes
    Yes
    Address Groups
    Specifies whether the administrator can view, add, or delete address group objects for use in security policy.
    Yes
    Yes
    Yes
    Regions
    Specifies whether the administrator can view, add, or delete regions objects for use in security, decryption, or DoS policy.
    Yes
    Yes
    Yes
    Applications
    Specifies whether the administrator can view, add, or delete application objects for use in policy.
    Yes
    Yes
    Yes
    Application Groups
    Specifies whether the administrator can view, add, or delete application group objects for use in policy.
    Yes
    Yes
    Yes
    Application Filters
    Specifies whether the administrator can view, add, or delete application filters for simplification of repeated searches.
    Yes
    Yes
    Yes
    Services
    Specifies whether the administrator can view, add, or delete service objects for use in creating policy rules that limit the port numbers an application can use.
    Yes
    Yes
    Yes
    Service Groups
    Specifies whether the administrator can view, add, or delete service group objects for use in security policy.
    Yes
    Yes
    Yes
    Tags
    Specifies whether the administrator can view, add, or delete tags that have been defined on the firewall.
    Yes
    Yes
    Yes
    GlobalProtect
    Specifies whether the administrator can view, add, or delete HIP objects and profiles. You can restrict access to both types of objects at the GlobalProtect level, or provide more granular control by enabling the GlobalProtect privilege and restricting HIP Object or HIP Profile access.
    Yes
    No
    Yes
    HIP Objects
    Specifies whether the administrator can view, add, or delete HIP objects, which are used to define HIP profiles. HIP Objects also generate HIP Match logs.
    Yes
    Yes
    Yes
    Clientless Apps
    Specifies whether the administrator can view, add, modify, or delete GlobalProtect VPN Clientless applications.
    Yes
    Yes
    Yes
    Clientless App Groups
    Specifies whether the administrator can view, add, modify, or delete GlobalProtect VPN Clientless application groups.
    Yes
    Yes
    Yes
    HIP Profiles
    Specifies whether the administrator can view, add, or delete HIP Profiles for use in security policy and/or for generating HIP Match logs.
    Yes
    Yes
    Yes
    External Dynamic Lists
    Specifies whether the administrator can view, add, or delete external dynamic lists for use in security policy.
    Yes
    Yes
    Yes
    Custom Objects
    Specifies whether the administrator can see the custom spyware and vulnerability signatures. You can restrict access to either enable or disable access to all custom signatures at this level, or provide more granular control by enabling the Custom Objects privilege and then restricting access to each type of signature.
    Yes
    No
    Yes
    Data Patterns
    Specifies whether the administrator can view, add, or delete custom data pattern signatures for use in creating custom Vulnerability Protection profiles.
    Yes
    Yes
    Yes
    Spyware
    Specifies whether the administrator can view, add, or delete custom spyware signatures for use in creating custom Vulnerability Protection profiles.
    Yes
    Yes
    Yes
    Vulnerability
    Specifies whether the administrator can view, add, or delete custom vulnerability signatures for use in creating custom Vulnerability Protection profiles.
    Yes
    Yes
    Yes
    URL Category
    Specifies whether the administrator can view, add, or delete custom URL categories for use in policy.
    Yes
    Yes
    Yes
    Security Profiles
    Specifies whether the administrator can see security profiles. You can restrict access to either enable or disable access to all security profiles at this level, or provide more granular control by enabling the Security Profiles privilege and then restricting access to each type of profile.
    Yes
    No
    Yes
    Antivirus
    Specifies whether the administrator can view, add, or delete antivirus profiles.
    Yes
    Yes
    Yes
    Anti-Spyware
    Specifies whether the administrator can view, add, or delete Anti-Spyware profiles.
    Yes
    Yes
    Yes
    Vulnerability Protection
    Specifies whether the administrator can view, add, or delete Vulnerability Protection profiles.
    Yes
    Yes
    Yes
    URL Filtering
    Specifies whether the administrator can view, add, or delete URL filtering profiles.
    Yes
    Yes
    Yes
    File Blocking
    Specifies whether the administrator can view, add, or delete file blocking profiles.
    Yes
    Yes
    Yes
    WildFire Analysis
    Specifies whether the administrator can view, add, or delete WildFire analysis profiles.
    Yes
    Yes
    Yes
    Data Filtering
    Specifies whether the administrator can view, add, or delete data filtering profiles.
    Yes
    Yes
    Yes
    DoS Protection
    Specifies whether the administrator can view, add, or delete DoS protection profiles.
    Yes
    Yes
    Yes
    GTP Protection
    Specifies whether the mobile network operator can view, add, or delete GTP Protection profiles.
    Yes
    Yes
    Yes
    SCTP Protection
    Specifies whether the mobile network operator can view, add, or delete Stream Control Transmission Protocol (SCTP) Protection profiles.
    Yes
    Yes
    Yes
    Security Profile Groups
    Specifies whether the administrator can view, add, or delete security profile groups.
    Yes
    Yes
    Yes
    Log Forwarding
    Specifies whether the administrator can view, add, or delete log forwarding profiles.
    Yes
    Yes
    Yes
    Authentication
    Specifies whether the administrator can view, add, or delete authentication enforcement objects.
    Yes
    Yes
    Yes
    Decryption Profile
    Specifies whether the administrator can view, add, or delete decryption profiles.
    Yes
    Yes
    Yes
    Schedules
    Specifies whether the administrator can view, add, or delete schedules for limiting a security policy to a specific date and/or time range.
    Yes
    Yes
    Yes

    © 2025 Palo Alto Networks, Inc. All rights reserved.