>
    Strata Copilot
    Provide Granular Access to the Device Tab
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Firewall Administration
    4. Reference: Web Interface Administrator Access
    5. Web Interface Access Privileges
    6. Provide Granular Access to the Device Tab
    Download PDF
    Next-Generation Firewall

    Provide Granular Access to the Device Tab

    Table of Contents

    Provide Granular Access to the Device Tab

    Configure granular administrator access privileges for Device tab functions in PAN-OS firewall web interface to control user permissions.
    To define granular access privileges for the Device tab, when creating or editing an admin role profile (DeviceAdmin Roles), scroll down to the Device node on the WebUI tab.
    Access Level
    Description
    Enable
    Read Only
    Disable
    Setup
    Controls access to the Setup node. If you disable this privilege, the administrator will not see the Setup node or have access to firewall-wide setup configuration information, such as Management, Operations, Service, Content-ID, WildFire or Session setup information.
    If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
    Yes
    Yes
    Yes
    Management
    Controls access to the Management node. If you disable this privilege, the administrator will not be able to configure settings such as the hostname, domain, timezone, authentication, logging and reporting, Panorama connections, banner, message, and password complexity settings, and more.
    If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
    Yes
    Yes
    Yes
    Operations
    Controls access to the Operations and Telemetry and Threat Intelligence nodes. If you disable this privilege, the administrator cannot:
    • Load firewall configurations.
    • Save or revert the firewall configuration.
      This privilege applies only to the DeviceOperations options. The Save and Commit privileges control whether the administrator can save or revert configurations through the ConfigSave and ConfigRevert options.
    • Create custom logos.
    • Configure SNMP monitoring of firewall settings.
    • Configure the Statistics Service feature.
    • Configure Telemetry and Threat Intelligence settings.
    Only administrators with the predefined Superuser role can export or import firewall configurations and shut down the firewall.
    Only administrators with the predefined Superuser or Device Administrator role can reboot the firewall or restart the dataplane.
    Administrators with a role that allows access only to specific virtual systems cannot load, save, or revert firewall configurations through the DeviceOperations options.
    Yes
    Yes
    Yes
    Services
    Controls access to the Services node. If you disable this privilege, the administrator will not be able to configure services for DNS servers, an update server, proxy server, or NTP servers, or set up service routes.
    If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
    Yes
    Yes
    Yes
    Content-ID
    Controls access to the Content-ID node. If you disable this privilege, the administrator will not be able to configure URL filtering or Content-ID.
    If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
    Yes
    Yes
    Yes
    WildFire
    Controls access to the WildFire node. If you disable this privilege, the administrator will not be able to configure WildFire settings.
    If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
    Yes
    Yes
    Yes
    Session
    Controls access to the Session node. If you disable this privilege, the administrator will not be able to configure session settings or timeouts for TCP, UDP or ICMP, or configure decryption or VPN session settings.
    If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
    Yes
    Yes
    Yes
    HSM
    Controls access to the HSM node. If you disable this privilege, the administrator will not be able to configure a Hardware Security Module.
    If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
    Yes
    Yes
    Yes
    High Availability
    Controls access to the High Availability node. If you disable this privilege, the administrator will not see the High Availability node or have access to firewall-wide high availability configuration information such as General setup information or Link and Path Monitoring.
    If you set this privilege to read-only, the administrator can view High Availability configuration information for the firewall but is not allowed to perform any configuration procedures.
    Yes
    Yes
    Yes
    Config Audit
    Controls access to the Config Audit node. If you disable this privilege, the administrator will not see the Config Audit node or have access to any firewall-wide configuration information.
    Yes
    No
    Yes
    Administrators
    Controls access to the Administrators node. This function can only be allowed for read-only access.
    If you disable this privilege, the administrator will not see the Administrators node or have access to information about their own administrator account.
    If you set this privilege to read-only, the administrator can view the configuration information for their own administrator account. They will not see any information about other administrator accounts configured on the firewall.
    No
    Yes
    Yes
    Admin Roles
    Controls access to the Admin Roles node. This function can only be allowed for read-only access.
    If you disable this privilege, the administrator will not see the Admin Roles node or have access to any firewall-wide information concerning Admin Role profiles configuration.
    If you set this privilege to read-only, you can view the configuration information for all administrator roles configured on the firewall.
    No
    Yes
    Yes
    Authentication Profile
    Controls access to the Authentication Profile node. If you disable this privilege, the administrator will not see the Authentication Profile node or be able to create or edit authentication profiles that specify RADIUS, TACACS+, LDAP, Kerberos, SAML, multi-factor authentication (MFA), or local database authentication settings. PAN-OS uses authentication profiles to authenticate firewall administrators and Authentication Portal or GlobalProtect end users.
    If you set this privilege to read-only, the administrator can view the Authentication Profile information but cannot create or edit authentication profiles.
    Yes
    Yes
    Yes
    Authentication Sequence
    Controls access to the Authentication Sequence node. If you disable this privilege, the administrator will not see the Authentication Sequence node or be able to create or edit an authentication sequence.
    If you set this privilege to read-only, the administrator can view the Authentication Profile information but cannot create or edit an authentication sequence.
    Yes
    Yes
    Yes
    Virtual Systems
    Controls access to the Virtual Systems node. If you disable this privilege, the administrator will not see or be able to configure virtual systems.
    If the privilege state is set to read-only, you can view the currently configured virtual systems but cannot add or edit a configuration.
    Yes
    Yes
    Yes
    Shared Gateways
    Controls access to the Shared Gateways node. Shared gateways allow virtual systems to share a common interface for external communications.
    If you disable this privilege, the administrator will not see or be able to configure shared gateways.
    If the privilege state is set to read-only, you can view the currently configured shared gateways but cannot add or edit a configuration.
    Yes
    Yes
    Yes
    User Identification
    Controls access to the User Identification node. If you disable this privilege, the administrator will not see the User Identification node or have access to firewall-wide User Identification configuration information, such as User Mapping, Connection Security, User-ID Agents, Terminal Server Agents, Group Mappings Settings, or Authentication Portal Settings.
    If you set this privilege to read-only, the administrator can view configuration information for the firewall but is not allowed to perform any configuration procedures.
    Yes
    Yes
    Yes
    VM Information Source
    Controls access to the VM Information Source node that allows you to configure the firewall/Windows User-ID agent to collect VM inventory automatically. If you disable this privilege, the administrator will not see the VM Information Source node.
    If you set this privilege to read-only, the administrator can view the VM information sources configured but cannot add, edit, or delete any sources.
    This privilege is not available to Device Group and Template administrators.
    Yes
    Yes
    Yes
    Certificate Management
    Sets the default state to enable or disable for all of the Certificate settings described below.
    Yes
    No
    Yes
    Certificates
    Controls access to the Certificates node. If you disable this privilege, the administrator will not see the Certificates node or be able to configure or access information regarding Device Certificates or Default Trusted Certificate Authorities.
    If you set this privilege to read-only, the administrator can view Certificate configuration information for the firewall but is not allowed to perform any configuration procedures.
    Yes
    Yes
    Yes
    Certificate Profile
    Controls access to the Certificate Profile node. If you disable this privilege, the administrator will not see the Certificate Profile node or be able to create certificate profiles.
    If you set this privilege to read-only, the administrator can view Certificate Profiles that are currently configured for the firewall but is not allowed to create or edit a certificate profile.
    Yes
    Yes
    Yes
    OCSP Responder
    Controls access to the OCSP Responder node. If you disable this privilege, the administrator will not see the OCSP Responder node or be able to define a server that will be used to verify the revocation status of certificates issues by the firewall.
    If you set this privilege to read-only, the administrator can view the OCSP Responder configuration for the firewall but is not allowed to create or edit an OCSP responder configuration.
    Yes
    Yes
    Yes
    SSL/TLS Service Profile
    Controls access to the SSL/TLS Service Profile node.
    If you disable this privilege, the administrator will not see the node or configure a profile that specifies a certificate and a protocol version or range of versions for firewall services that use SSL/TLS.
    If you set this privilege to read-only, the administrator can view existing SSL/TLS Service profiles but cannot create or edit them.
    Yes
    Yes
    Yes
    SCEP
    Controls access to the SCEP node. If you disable this privilege, the administrator will not see the node or be able to define a profile that specifies simple certificate enrollment protocol (SCEP) settings for issuing unique device certificates.
    If you set this privilege to read-only, the administrator can view existing SCEP profiles but cannot create or edit them.
    Yes
    Yes
    Yes
    SSL Decryption Exclusion
    Controls access to the SSL Decryption Exclusion node. If you disable this privilege, the administrator will not see the node or be able to add custom exclusions.
    If you set this privilege to read-only, the administrator can view existing SSL decryption exceptions but cannot create or edit them.
    Yes
    Yes
    Yes
    SSH Service Profile
    Controls access to the SSH Service Profile node. If you disable this privilege, the administrator will be unable to see the node or configure a profile to specify parameters for SSH connections to your Palo Alto Networks management and high availability (HA) appliances.
    If you set this privilege to read-only, the administrator can view existing SSH service profiles but cannot edit or create them.
    Yes
    Yes
    Yes
    Response Pages
    Controls access to the Response Pages node. If you disable this privilege, the administrator will not see the Response Page node or be able to define a custom HTML message that is downloaded and displayed instead of a requested web page or file.
    If you set this privilege to read-only, the administrator can view the Response Page configuration for the firewall but is not allowed to create or edit a response page configuration.
    Yes
    Yes
    Yes
    Log Settings
    Sets the default state to enable or disable for all of the Log settings described below.
    Yes
    No
    Yes
    System
    Controls access to the Log SettingsSystem node. If you disable this privilege, the administrator cannot see the Log SettingsSystem node or specify which System logs the firewall forwards to Panorama or external services (such as a syslog server).
    If you set this privilege to read-only, the administrator can view the Log SettingsSystem settings for the firewall but cannot add, edit, or delete the settings.
    Yes
    Yes
    Yes
    Configuration
    Controls access to the Log SettingsConfiguration node. If you disable this privilege, the administrator cannot see the Log SettingsConfiguration node or specify which Configuration logs the firewall forwards to Panorama or external services (such as a syslog server).
    If you set this privilege to read-only, the administrator can view the Log SettingsConfiguration settings for the firewall but cannot add, edit, or delete the settings.
    Yes
    Yes
    Yes
    User-ID
    Controls access to the Log SettingsUser-ID node. If you disable this privilege, the administrator cannot see the Log SettingsUser-ID node or specify which User-ID logs the firewall forwards to Panorama or external services (such as a syslog server).
    If you set this privilege to read-only, the administrator can view the Log SettingsUser-ID settings for the firewall but cannot add, edit, or delete the settings.
    Yes
    Yes
    Yes
    HIP Match
    Controls access to the Log SettingsHIP Match node. If you disable this privilege, the administrator cannot see the Log SettingsHIP Match node or specify which Host Information Profile (HIP) match logs the firewall forwards to Panorama or external services (such as a syslog server). HIP match logs provide information on Security policy rules that apply to GlobalProtect endpoints.
    If you set this privilege to read-only, the administrator can view the Log SettingsHIP settings for the firewall but cannot add, edit, or delete the settings.
    Yes
    Yes
    Yes
    GlobalProtect
    Controls access to the Log SettingsGlobalProtect node. If you disable this privilege, the administrator cannot see the Log SettingsGlobalProtect node or specify which GlobalProtect logs the firewall forwards to Panorama or external services (such as a syslog server).
    If you set this privilege to read-only, the administrator can view the Log SettingsGlobalProtect settings for the firewall but cannot add, edit, or delete the settings.
    Yes
    Yes
    Yes
    Correlation
    Controls access to the Log SettingsCorrelation node. If you disable this privilege, the administrator cannot see the Log SettingsCorrelation node or add, delete, or modify correlation log forwarding settings or tag source or destination IP addresses.
    If you set this privilege to read-only, the administrator can view the Log SettingsCorrelation settings for the firewall but cannot add, edit, or delete the settings.
    Yes
    Yes
    Yes
    Alarm Settings
    Controls access to the Log SettingsAlarm Settings node. If you disable this privilege, the administrator cannot see the Log SettingsAlarm Settings node or configure notifications that the firewall generates when a Security policy rule (or group of rules) is hit repeatedly within a configurable time period.
    If you set this privilege to read-only, the administrator can view the Log SettingsAlarm Settings for the firewall but cannot edit the settings.
    Yes
    Yes
    Yes
    Manage Logs
    Controls access to the Log SettingsManage Logs node. If you disable this privilege, the administrator cannot see the Log SettingsManage Logs node or clear the indicated logs.
    If you set this privilege to read-only, the administrator can view the Log SettingsManage Logs information but cannot clear any of the logs.
    Yes
    Yes
    Yes
    Server Profiles
    Sets the default state to enable or disable for all of the Server Profiles settings described below.
    Yes
    No
    Yes
    SNMP Trap
    Controls access to the Server ProfilesSNMP Trap node. If you disable this privilege, the administrator will not see the Server ProfilesSNMP Trap node or be able to specify one or more SNMP trap destinations to be used for system log entries.
    If you set this privilege to read-only, the administrator can view the Server ProfilesSNMP Trap Logs information but cannot specify SNMP trap destinations.
    Yes
    Yes
    Yes
    Syslog
    Controls access to the Server ProfilesSyslog node. If you disable this privilege, the administrator will not see the Server ProfilesSyslog node or be able to specify one or more syslog servers.
    If you set this privilege to read-only, the administrator can view the Server ProfilesSyslog information but cannot specify syslog servers.
    Yes
    Yes
    Yes
    Email
    Controls access to the Server ProfilesEmail node. If you disable this privilege, the administrator will not see the Server ProfilesEmail node or be able to configure an email profile that can be used to enable email notification for system and configuration log entries.
    If you set this privilege to read-only, the administrator can view the Server ProfilesEmail information but cannot configure an email server profile.
    Yes
    Yes
    Yes
    HTTP
    Controls access to the Server ProfilesHTTP node. If you disable this privilege, the administrator will not see the Server ProfilesHTTP node or be able to configure an HTTP server profile that can be used to enable log forwarding to HTTP destinations any log entries.
    If you set this privilege to read-only, the administrator can view the Server ProfilesHTTP information but cannot configure an HTTP server profile.
    Yes
    Yes
    Yes
    Netflow
    Controls access to the Server ProfilesNetflow node. If you disable this privilege, the administrator will not see the Server ProfilesNetflow node or be able to define a NetFlow server profile, which specifies the frequency of the export along with the NetFlow servers that will receive the exported data.
    If you set this privilege to read-only, the administrator can view the Server ProfilesNetflow information but cannot define a Netflow profile.
    Yes
    Yes
    Yes
    RADIUS
    Controls access to the Server ProfilesRADIUS node. If you disable this privilege, the administrator will not see the Server ProfilesRADIUS node or be able to configure settings for the RADIUS servers that are identified in authentication profiles.
    If you set this privilege to read-only, the administrator can view the Server ProfilesRADIUS information but cannot configure settings for the RADIUS servers.
    Yes
    Yes
    Yes
    SCP
    Controls access to the Server ProfilesSCP node.
    If you disable this privilege, the administrator will not see the node or configure settings for SCP servers.
    If you set this privilege to read-only, the administrator can view existing SCP server profiles but cannot add or edit them.
    Yes
    Yes
    Yes
    TACACS+
    Controls access to the Server ProfilesTACACS+ node.
    If you disable this privilege, the administrator will not see the node or configure settings for the TACACS+ servers that authentication profiles reference.
    If you set this privilege to read-only, the administrator can view existing TACACS+ server profiles but cannot add or edit them.
    Yes
    Yes
    Yes
    LDAP
    Controls access to the Server ProfilesLDAP node. If you disable this privilege, the administrator will not see the Server ProfilesLDAP node or be able to configure settings for the LDAP servers to use for authentication by way of authentication profiles.
    If you set this privilege to read-only, the administrator can view the Server ProfilesLDAP information but cannot configure settings for the LDAP servers.
    Yes
    Yes
    Yes
    Kerberos
    Controls access to the Server ProfilesKerberos node. If you disable this privilege, the administrator will not see the Server ProfilesKerberos node or configure a Kerberos server that allows users to authenticate natively to a domain controller.
    If you set this privilege to read-only, the administrator can view the Server ProfilesKerberos information but cannot configure settings for Kerberos servers.
    Yes
    Yes
    Yes
    SAML Identity Provider
    Controls access to the Server ProfilesSAML Identity Provider node. If you disable this privilege, the administrator cannot see the node or configure SAML identity provider (IdP) server profiles.
    If you set this privilege to read-only, the administrator can view the Server ProfilesSAML Identity Provider information but cannot configure SAML IdP server profiles.
    Yes
    Yes
    Yes
    Multi Factor Authentication
    Controls access to the Server ProfilesMulti Factor Authentication node. If you disable this privilege, the administrator cannot see the node or configure multi-factor authentication (MFA) server profiles.
    If you set this privilege to read-only, the administrator can view the Server ProfilesSAML Identity Provider information but cannot configure MFA server profiles.
    Local User Database
    Sets the default state to enable or disable for all of the Local User Database settings described below.
    Yes
    No
    Yes
    Users
    Controls access to the Local User DatabaseUsers node. If you disable this privilege, the administrator will not see the Local User DatabaseUsers node or set up a local database on the firewall to store authentication information for remote access users, firewall administrators, and Authentication Portal users.
    If you set this privilege to read-only, the administrator can view the Local User DatabaseUsers information but cannot set up a local database on the firewall to store authentication information.
    Yes
    Yes
    Yes
    User Groups
    Controls access to the Local User DatabaseUsers node. If you disable this privilege, the administrator will not see the Local User DatabaseUsers node or be able to add user group information to the local database.
    If you set this privilege to read-only, the administrator can view the Local User DatabaseUsers information but cannot add user group information to the local database.
    Yes
    Yes
    Yes
    Access Domain
    Controls access to the Access Domain node. If you disable this privilege, the administrator will not see the Access Domain node or be able to create or edit an access domain.
    If you set this privilege to read-only, the administrator can view the Access Domain information but cannot create or edit an access domain.
    Yes
    Yes
    Yes
    Scheduled Log Export
    Controls access to the Scheduled Log Export node. If you disable this privilege, the administrator will not see the Scheduled Log Export node or be able schedule exports of logs and save them to a File Transfer Protocol (FTP) server in CSV format or use Secure Copy (SCP) to securely transfer data between the firewall and a remote host.
    If you set this privilege to read-only, the administrator can view the Scheduled Log Export Profile information but cannot schedule the export of logs.
    Yes
    No
    Yes
    Software
    Controls access to the Software node. If you disable this privilege, the administrator will not see the Software node or view the latest versions of the PAN-OS software available from Palo Alto Networks, read the release notes for each version, and select a release to download and install.
    If you set this privilege to read-only, the administrator can view the Software information but cannot download or install software.
    Yes
    Yes
    Yes
    GlobalProtect Client
    Controls access to the GlobalProtect Client node. If you disable this privilege, the administrator will not see the GlobalProtect Client node or view available GlobalProtect releases, download the code or activate the GlobalProtect app.
    If you set this privilege to read-only, the administrator can view the available GlobalProtect Client releases but cannot download or install the app software.
    Yes
    Yes
    Yes
    Dynamic Updates
    Controls access to the Dynamic Updates node. If you disable this privilege, the administrator will not see the Dynamic Updates node or be able to view the latest updates, read the release notes for each update, or select an update to upload and install.
    If you set this privilege to read-only, the administrator can view the available Dynamic Updates releases, read the release notes but cannot upload or install the software.
    Yes
    Yes
    Yes
    Licenses
    Controls access to the Licenses node. If you disable this privilege, the administrator will not see the Licenses node or be able to view the licenses installed or activate licenses.
    If you set this privilege to read-only, the administrator can view the installed Licenses, but cannot perform license management functions.
    Yes
    Yes
    Yes
    Support
    Controls access to the Support node. If you disable this privilege, the administrator cannot see the Support node, activate support, or access production and security alerts from Palo Alto Networks.
    If you set this privilege to read-only, the administrator can see the Support node and access production and security alerts but cannot activate support.
    Yes
    Yes
    Yes
    Master Key and Diagnostics
    Controls access to the Master Key and Diagnostics node. If you disable this privilege, the administrator will not see the Master Key and Diagnostics node or be able to specify a master key to encrypt private keys on the firewall.
    If you set this privilege to read-only, the administrator can view the Master Key and Diagnostics node and view information about master keys that have been specified but cannot add or edit a new master key configuration.
    Yes
    Yes
    Yes
    Policy Recommendation
    Controls access to IoT and SaaS policy rule recommendations. If you disable these privileges, the administrator can’t see the Policy RecommendationIoT node, the Policy RecommendationSaaS node, or both, depending on which privileges you disable.
    If you set these privileges to read-only, the administrator can view the nodes but cannot import policy rules or edit information.
    Yes
    Yes
    Yes

    © 2026 Palo Alto Networks, Inc. All rights reserved.