Next-Generation Firewall
Configure an Admin Role Profile (PAN-OS)
Table of Contents
Configure an Admin Role Profile (PAN-OS)
You can create an Admin Role profile, specify that the role applies to Virtual
System, and then select Web UI, for example, and choose the part of the
configuration that the administrator can control within a virtual system. Click OK
to save the Admin Role Profile. Then select , name the role, select Role Based, enter the name of the Admin Role
Profile, and select the virtual system that the administrator can control. The MGT
interface doesn't give full access to the firewall; access is controlled by the
Admin Role.
If the Admin Role Profile is based on Virtual System, that administrator won't have
control over a virtual router. Only a subset of the Network options are available in
a Virtual System role, and virtual router isn't one of the included options. If you
want virtual router available in an Admin Role Profile, the role must be Device, not
Virtual System. (You can define a superuser Administrator to have both Virtual
System and Virtual Router access.)
You can create a second Admin Role Profile, specify that the role applies to Device,
and then select portions under Network, such as Virtual Routers. Name the Admin Role
Profile, and then apply it to a different administrator.
You might have different departments that have different functions. Based on the
login, the administrator gets the right to control the objects enabled in the Admin
Role Profile.
In summary, you can't define a Virtual System Admin Role profile that includes
routing (Virtual Router). You can create two accounts to have these separate roles
and assign them to two different users. An Administrator account can have only one
Admin Role profile.
The MGT interface can have role-based access; it doesn't strictly provide full access
to the device. The login account (Admin Role) is what gives a user rights or limited
access to the objects, not the MGT interface.
- Select and click Add.Enter a Name to identify the role.For the scope of the Role, select Device or Virtual System.In the Web UI and REST API tabs, click the icon for each functional area to toggle it to the desired setting: Enable, Read Only or Disable. For the XML API tab select, Enable or Disable. For details on the Web UI options, see Web Interface Access Privileges.Select the Command Line tab and select a CLI access option. The Role scope controls the available options:
- Device role:
- None—CLI access is not permitted (default).
- superuser—Full access. Can define new administrator accounts and virtual systems. Only a superuser can create administrator users with superuser privileges.
- superreader—Full read-only access.
- deviceadmin—Full access to all settings except defining new accounts or virtual systems.
- devicereader—Read-only access to all settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
- Virtual System role:
- None—Access is not permitted (default).
- vsysadmin—Access to specific virtual systems to create and manage specific aspects of virtual systems. Does not enable access to firewall-level or network-level functions including static and dynamic routing, interface IP addresses, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DCHP, DNS Proxy, QoS, LLDP, or network profiles.
- vsysreader—Read-only access to specific virtual systems to specific aspects of virtual systems. Does not enable access to firewall-level or network-level functions including static and dynamic routing, interface IP addresses, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DCHP, DNS Proxy, QoS, LLDP, or network profiles.
Click OK to save the profile.Assign the role to an administrator. See Configure a Firewall Administrator Account.
