Select DeviceAdmin Roles to define Admin
Role profiles, which are custom roles that determine the access
privileges and responsibilities of administrative users. You assign Admin Role profiles or dynamic roles
The firewall has three predefined roles you can use for common
criteria purposes. You first use the superuser role for initial
firewall configuration and to create the administrator accounts
for the Security Administrator, Audit Administrator, and Cryptographic
Administrator. After you create these accounts and apply the proper common
criteria Admin Roles, you then log in using those accounts. The
default superuser account in Federal Information Processing Standard
(FIPS)/Common Criteria (CC) FIPS-CC mode is admin and the
default password is paloalto. In standard operating mode,
the default admin password is admin. The predefined
Admin Roles were created where there is no overlap in capabilities,
except that all have read-only access to the audit trail (except
audit administrator with full read/delete access. These admin roles
cannot be modified and are defined as follows:
auditadmin—The Audit Administrator is responsible for
the regular review of the firewall’s audit data.
cryptoadmin—The Cryptographic Administrator is responsible
for the configuration and maintenance of cryptographic elements
related to the establishment of secure connections to the firewall.
securityadmin—The Security Administrator is responsible for
all other administrative tasks (such as creating Security policy)
not addressed by the other two administrative roles.
To add an Admin Role profile, click Add and
specify the settings described in the following table.
Create custom roles to limit administrator
access to only what each type of administrator needs. For each type
of administrator, enable, disable, or set read-only access for Web
UI, XML API, Command
Line, and REST API access.
Administrator
Role Settings
Name
Enter a name to identify this administrator
role (up to 31 characters). The name is case-sensitive and must
be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description
(Optional) Enter a description
for the role (up to 255 characters).
Role
Select the scope of administrative responsibility:
Device—The role applies to the entire
firewall, regardless whether it has more than one virtual system
(vsys).
applies
to specific virtual systems on the firewall and specific aspects
of virtual systems (if Multi Virtual System Capability is enabled).
An Admin Role Profile based on Virtual System doesn’t
have access on the Web UI tab to Network
Interfaces, VLANs, Virtual Wires, IPSec Tunnels, GRE Tunnels, DHCP,
DNS Proxy, QoS, LLDP, or Network Profiles. You select the virtual
systems when you create administrative accounts (Device>Administrators).
features
to set the permitted access privileges (Enable or Disable).
Command Line
Select the type of role for CLI access.
The default is None, which means access to
the CLI is not permitted. The other options vary by Role scope:
Device
superuser—Has
full access to the firewall and can define new administrator accounts
and virtual systems. You must have superuser privileges to create
an administrative user with superuser privileges.
superreader—Has read-only access to
the firewall.
deviceadmin—Has full access to all
firewall settings except for defining new accounts or virtual systems.
devicereader—Has read-only access
to all firewall settings except password profiles (no access) and
administrator accounts (only the logged in account is visible).
Virtual System
vsysadmin—Has
access to specific virtual systems on the firewall to create and
manage specific aspects of virtual systems. The vsysadmin setting
doesn’t control firewall-level or network-level functions (such
as static and dynamic routing, IP addresses of interfaces, IPSec
tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DHCP,
DNS Proxy, QoS, LLDP, or network profiles).
vsysreader—Has read-only access to
specific virtual systems on the firewall and specific aspects of
a virtual system. The vsysreader setting
doesn’t have access to firewall-level or network-level functions
(such as static and dynamic routing, IP addresses of interfaces,
IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels,
DHCP, DNS Proxy, QoS, LLDP, or network profiles).