Panorama administrative accounts define administrator role and authentication parameters . To unlock a locked account, click the lock in the Locked User column. To create an administrator account, click Add and complete the following fields.
Administrator Account Setting Description
Name Enter a login username for the administrator (up to 15 characters). The name is case-sensitive and must be unique. Use only letters, numbers, hyphens, and underscores.
Authentication Profile Select an authentication profile or sequence to authenticate this administrator. For details, see Device > Authentication Profile or Device > Authentication Sequence. You can use this setting for RADIUS, TACACS+, LDAP, Kerberos, or local database authentication .
Use only client certificate authentication (Web) Select this option to use client certificate authentication for web access. If you select this option, a username ( Name) and Password are not required; the certificate can authenticate access to Panorama.
Password/Confirm Password Enter and confirm a case-sensitive password for the administrator (up to 15 characters). To ensure security, it is recommended that administrators change their passwords periodically using a combination of lower-case letters, upper-case letters, and numbers. Device Group and Template administrators cannot access the Panorama > Administrators page. To change their local password, these administrators must click their username beside Logout at the bottom of the web interface. This also applies to administrators with a custom Panorama role in which access to the page is disabled. You can use password authentication in conjunction with an Authentication Profile (or sequence) or with local database authentication. You can set password expiration parameters by selecting a Password Profile (see Device > Password Profiles ) and setting Minimum Password Complexity parameters (see Device > Setup > Management ).
Use Public Key Authentication (SSH) Select this option to use SSH public key authentication . Click Import Key and Browse to select the public key file. The Administrator dialog displays the uploaded key in the read-only text area. Supported key file formats are IETF SECSH and OpenSSH. Supported key algorithms are DSA (1024 bits) and RSA (768-4096 bits). If public key authentication fails, Panorama presents a login and password prompt.
Administrator Type The type selection determines the administrative role options: Dynamic —These roles provide access to Panorama and managed firewalls. When new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to manually update them. Custom Panorama Admin —These are configurable roles that have read-write access, read-only access, or no access to Panorama features. Device Group and Template Admin —These are configurable roles that have read-write access, read-only access, or no access to features for the device groups and templates that are assigned to the access domains you select for this administrator.
Admin Role ( Dynamic administrator type ) Select a predefined role: Superuser —Full read-write access to Panorama and all device groups, templates, and managed firewalls. Superuser (Read Only) —Read-only access to Panorama and all device groups, templates, and managed firewalls. Panorama administrator —Full access to Panorama except for the following actions: Create, modify, or delete Panorama or firewall administrators and roles. Export, validate, revert, save, load, or import a configuration ( Device > Setup > Operations). Configure a Scheduled Config Export in the Panorama tab.
Profile ( Custom Panorama Admin administrator type ) Select a custom Panorama role (see Panorama > Managed Devices).
Access Domain to Administrator Role ( Device Group and Template Admin administrator type ) For each access domain (up to 25) you want to assign to the administrator, click Add, select an Access Domain from the drop-down (see Panorama > Access Domains), and then click the adjacent Admin Role cell and select a custom Device Group and Template administrator role from the drop-down (see Panorama > Managed Devices). When administrators log in to Panorama, an Access Domain drop-down appears in the footer of the web interface. Administrators can select any assigned Access Domain to filter the monitoring and configuration data that Panorama displays. The Access Domain selection also filters the firewalls that the Context drop-down displays. If you use a RADIUS server to authenticate administrators, you must map administrator roles and access domains to RADIUS VSAs. Because VSA strings support a limited number of characters, if you configure the maximum number of access domain/role pairs (25) for an administrator, the Name values for each access domain and each role must not exceed an average of 9 characters.
Password Profile Select a Password Profile (see Device > Password Profiles).

Related Documentation