1. Home
    2. PAN-OS
    3. PAN-OS® Web Interface Reference Guide
    4. Panorama Web Interface
    5. Panorama > Access Domains
    Previous
    Next
    Access domains control the access that Device Group and Template administrators have to specific device groups (to manage policies and objects), templates (to manage network and device settings), and the web interface of managed firewalls (through context switching). You can define up to 4,000 access domains and manage them locally or using RADIUS Vendor-Specific Attributes (VSAs) . To create an access domain, click Add and complete the following fields.
    Access Domain Setting Description
    Name Enter a name for the access domain (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, hyphens, and underscores.
    Shared Objects Select one of the following access privileges for the objects that device groups in this access domain inherit from the Shared location. Regardless of privilege, administrators can’t override shared or default (predefined) objects. read —Administrators can display and clone shared objects but cannot perform any other operations on them. When adding non-shared objects or cloning shared objects, the destination must be a device group within the access domain, not Shared. write —Administrators can perform all operations on shared objects. This is the default value. shared-only —Administrators can add objects only to Shared. Administrators can also display, edit, and delete shared objects but cannot move or clone them. A consequence of this selection is that administrators cannot perform any operations on non-shared objects other than to display them.
    Device Groups Enable or disable read-write access for specific device groups in the access domain. You can also click Enable All or Disable All. Enabling read-write access for a device group automatically enables the same access for its descendants. If you manually disable a descendant, access for its highest ancestor automatically changes to read-only. By default, access is disabled for all device groups. If you want the list to display only specific device groups, select the device group names and Filter Selected. If you set the access for shared objects to shared-only, Panorama applies read-only access to any device groups for which you specify read-write access.
    Templates For each template or template stack you want to assign, click Add and select it from the drop-down.
    Device Context (Corresponds to the Device/Virtual Systems column in the Access Domain page) Select the firewalls to which the administrator can switch context for performing local configuration. If the list is long, you can filter by Device State, Platforms, Device Groups, Templates, Tags, and HA Status.
    Previous
    Next

    Related Documentation

    Configure an Access Domain

    Configure an Access Domain Use Access Domains to define access for Device Group and Template administrators for specific device groups and templates, and also to ...

    Create a Device Group Hierarchy

    Create a Device Group Hierarchy Create a Device Group Hierarchy Plan the Device Group Hierarchy . Decide the device group levels, and which firewalls and ...

    Panorama > Administrators

    Panorama > Administrators Panorama administrative accounts define administrator role and authentication parameters . To unlock a locked account, click the lock in the Locked User ...

    Role-Based Access Control

    Role-Based Access Control Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user ...

    Transition a Firewall to Panorama Management

    Transition a Firewall to Panorama Management If you have already deployed Palo Alto Networks firewalls and configured them locally, but now want to use Panorama ...

    Web Interface Access Privileges

    Web Interface Access Privileges If you want to prevent a role-based administrator from accessing specific tabs on the web interface, you can disable the tab ...

    Device Groups

    Device Groups To use Panorama effectively, you have to group the firewalls in your network into logical units called device groups. A device group enables ...

    Use the Panorama Web Interface

    Use the Panorama Web Interface The web interfaces of Panorama and the firewall have the same look and feel. However, the Panorama web interface has ...

    Use Case: Shared Security Policies on Dedicated Compute Infrastructure

    Use Case: Shared Security Policies on Dedicated Compute Infrastructure If you are a Managed Service Provider who needs to secure a large enterprise ( tenant ...

    Manage Device Groups

    Manage Device Groups Add a Device Group Create a Device Group Hierarchy Create Objects for Use in Shared or Device Group Policy Revert to Inherited ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo