1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. Panorama Features
    5. Role Privileges for Commit Types
    End-of-Life (EoL)
    Previous
    Next
    For custom Panorama administrator roles, you can now assign commit privileges by type (Panorama, device group, template, or Collector Group) instead of assigning one comprehensive commit privilege. This improves the security of Panorama, firewalls, and Log Collectors by providing more granular control over the types of configuration changes that each Panorama administrator can commit.
    Assign Commit Privileges to a Panorama Administrator
    Configure the Admin Role profile with granular commit privileges. Select Panorama > Admin Roles and Add a new profile. Enter a Name for the profile and set the Role type to Panorama. In the Web UI tab, enable the appropriate Commit permissions. This example shows how to create a custom Panorama role that can commit changes to Panorama, device group, and template settings but not to Collector Groups settings. Enable the Commit permissions for Panorama, Device Groups, Templates, and Force Template Values (all are enabled by default). The Force Template Values permission enables administrators to replace overridden settings in local firewall configurations with template settings. Disable the Commit permission for Collector Groups. Click OK.
    Configure the administrator account to use the new Admin Role profile. Select Panorama > Administrators and Add a new administrator. Enter a user Name for the administrator. Select the authentication type. This example uses local authentication but you can also use an external server for authentication. Set the Authentication Profile to None. Enter and confirm a Password. Set the Administrator Type to Custom Panorama Admin. Select the Admin Role Profile you just created. Click OK and Commit, set the Commit Type to Panorama, and click Commit again.
    Verify that the administrator you added can commit changes to Panorama, device group, and template settings but cannot commit changes to Collector Group settings. Log in to Panorama as the administrator you just added. Verify that you can commit changes to a Panorama, device group, and template setting. For example: Select Panorama > Setup > Management and edit General Settings. Modify the Login Banner text and click OK. Click Commit, set the Commit Type to Panorama, and click Commit again. Verify that you cannot commit changes to a Collector Group setting. For example: Select Panorama > Collector Groups and Add a Collector Group. Enter a Name for the Collector Group and click OK. Click Commit. For the Commit Type, the Collector Group option should not appear.
    Previous
    Next

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo