1. Home
    2. PAN-OS
    3. PAN-OS CLI Quick Start
    4. Get Started with the CLI
    5. Give Administrators Access to the CLI
    6. Administrative Privileges

    Administrative Privileges

    Privilege levels determine which commands an administrator can run as well as what information is viewable. Each administrative role has an associated privilege level. You can use dynamic roles, which are predefined roles that provide default privilege levels. Or, you can create custom firewall administrator roles or Panorama administrator roles and assign one of the following CLI privilege levels to each role:
    You must follow the Best Practices for Securing Admin Access to ensure that you are securing access to your management network in a way that will prevent successful attacks.
    Privilege Level
    Description
    superuser
    Has full access to the Palo Alto Networks device (firewall or Panorama) and can define new administrator accounts and virtual systems. You must have superuser privileges to create an administrative user with superuser privileges.
    superreader
    Has complete read-only access to the device.
    vsysadmin
    Has access to selected virtual systems (vsys) on the firewall to create and manage specific aspects of virtual systems. A virtual system administrator doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
    vsysreader
    Has read-only access to selected virtual systems on the firewall and specific aspects of virtual systems. A virtual system administrator with read-only access doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
    deviceadmin
    Has full access to all firewall settings except for defining new accounts or virtual systems.
    devicereader
    Has read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
    panorama-admin
    Has full access to Panorama except for the following actions:
    • Create, modify, or delete Panorama or device administrators and roles.
    • Export, validate, revert, save, load, or import a configuration.
    • Schedule configuration exports.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo