Administrative Privileges
Privilege levels determine which commands an administrator
can run as well as what information is viewable. Each administrative
role has an associated privilege level. You can use dynamic roles,
which are predefined roles that provide default privilege levels.
Or, you can create custom firewall administrator roles or Panorama administrator roles and
assign one of the following CLI privilege levels to each role:
You must follow the Best Practices for Securing Admin Access to
ensure that you are securing access to your management network in
a way that will prevent successful attacks.
Privilege Level | Description |
|---|---|
superuser | Has full access to the Palo Alto Networks
device (firewall or Panorama) and can define new administrator accounts
and virtual systems. You must have superuser privileges to create
an administrative user with superuser privileges. |
superreader | Has complete read-only access to the device. |
vsysadmin | Has access to selected virtual systems (vsys)
on the firewall to create and manage specific aspects of virtual
systems. A virtual system administrator doesn’t have access to network
interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels,
GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles. |
vsysreader | Has read-only access to selected virtual
systems on the firewall and specific aspects of virtual systems.
A virtual system administrator with read-only access doesn’t have
access to network interfaces, VLANs, virtual wires, virtual routers,
IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network
profiles. |
deviceadmin | Has full access to all firewall settings
except for defining new accounts or virtual systems. |
devicereader | Has read-only access to all firewall settings
except password profiles (no access) and administrator accounts
(only the logged in account is visible). |
panorama-admin | Has full access to Panorama except for the
following actions:
|
Recommended For You
Recommended Videos
Recommended videos not found.
