Provide Granular Access to the Panorama Tab

The following table lists the
Panorama
tab access levels and the custom Panorama administrator roles for which they are available. Firewall administrators cannot access any of these privileges.
Access Level
Description
Administrator Role Availability
Enable
Read Only
Disable
Setup
Specifies whether the administrator can view or edit Panorama setup information, including
Management
,
Operations
and Telemetry
,
Services
, Content-ID,
WildFire
, Session, or
HSM
.
If you set the privilege to:
  • read-only, the administrator can see the information but cannot edit it.
  • disable this privilege, the administrator cannot see or edit the information.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
High Availability
Specifies whether the administrator can view and manage high availability (HA) settings for the Panorama management server.
If you set this privilege to read-only, the administrator can view HA configuration information for the Panorama management server but can’t manage the configuration.
If you disable this privilege, the administrator can’t see or manage HA configuration settings for the Panorama management server.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Config Audit
Specifies whether the administrator can run Panorama configuration audits. If you disable this privilege, the administrator can’t run Panorama configuration audits.
Panorama: Yes
Device Group/Template: No
Yes
No
Yes
Administrators
Specifies whether the administrator can view Panorama administrator account details.
You can’t enable full access to this function: just read-only access. (Only Panorama administrators with a dynamic role can add, edit, or delete Panorama administrators.) With read-only access, the administrator can see information about his or her own account but no other Panorama administrator accounts.
If you disable this privilege, the administrator can’t see information about any Panorama administrator account, including his or her own.
Panorama: Yes
Device Group/Template: No
No
Yes
Yes
Admin Roles
Specifies whether the administrator can view Panorama administrator roles.
You can’t enable full access to this function: just read-only access. (Only Panorama administrators with a dynamic role can add, edit, or delete custom Panorama roles.) With read-only access, the administrator can see Panorama administrator role configurations but can’t manage them.
If you disable this privilege, the administrator can’t see or manage Panorama administrator roles.
Panorama: Yes
Device Group/Template: No
No
Yes
Yes
Access Domain
Specifies whether the administrator can view, add, edit, delete, or clone access domain configurations for Panorama administrators. (This privilege controls access only to the configuration of access domains, not access to the device groups, templates, and firewall contexts that are assigned to access domains.)
If you set this privilege to read-only, the administrator can view Panorama access domain configurations but can’t manage them.
If you disable this privilege, the administrator can’t see or manage Panorama access domain configurations.
Panorama: Yes
Device Group/Template: No
You assign access domains to Device Group and Template administrators so they can access the configuration and monitoring data within the device groups, templates, and firewall contexts that are assigned to those access domains.
Yes
Yes
Yes
Authentication Profile
Specifies whether the administrator can view, add, edit, delete, or clone authentication profiles for Panorama administrators.
If you set this privilege to read-only, the administrator can view Panorama authentication profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage Panorama authentication profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Authentication Sequence
Specifies whether the administrator can view, add, edit, delete, or clone authentication sequences for Panorama administrators.
If you set this privilege to read-only, the administrator can view Panorama authentication sequences but can’t manage them.
If you disable this privilege, the administrator can’t see or manage Panorama authentication sequences.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
User Identification
Specifies whether the administrator can configure User-ID connection security and view, add, edit, or delete User-ID redistribution points (such as User-ID agents).
If you set this privilege to read-only, the administrator can view settings for User-ID connection security and redistribution points but can’t manage the settings.
If you disable this privilege, the administrator can’t see or manage settings for User-ID connection security or redistribution points.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Managed Devices
Specifies whether the administrator can view, add, edit, or delete firewalls as managed devices, and install software or content updates on them.
If you set this privilege to read-only, the administrator can see managed firewalls but can’t add, delete, tag, or install updates on them.
If you disable this privilege, the administrator can’t view, add, edit, tag, delete, or install updates on managed firewalls.
An administrator with Device Deployment privileges can still select
Panorama
Device Deployment
to install updates on managed firewalls.
Panorama: Yes
Device Group/Template: Yes
Yes
(No for Device Group and Template roles)
Yes
Yes
Templates
Specifies whether the administrator can view, edit, add, or delete templates and template stacks.
If you set the privilege to read-only, the administrator can see template and stack configurations but can’t manage them.
If you disable this privilege, the administrator can’t see or manage template and stack configurations.
Panorama: Yes
Device Group/Template: Yes
Device Group and Template administrators can see only the templates and stacks that are within the access domains assigned to those administrators.
Yes
(No for Device Group and Template admins)
Yes
Yes
Device Groups
Specifies whether the administrator can view, edit, add, or delete device groups.
If you set this privilege to read-only, the administrator can see device group configurations but can’t manage them.
If you disable this privilege, the administrator can’t see or manage device group configurations.
Panorama: Yes
Device Group/Template: Yes
Device Group and Template administrators can access only the device groups that are within the access domains assigned to those administrators.
Yes
Yes
Yes
Managed Collectors
Specifies whether the administrator can view, edit, add, or delete managed collectors.
If you set this privilege to read-only, the administrator can see managed collector configurations but can’t manage them.
If you disable this privilege, the administrator can’t view, edit, add, or delete managed collector configurations.
An administrator with Device Deployment privileges can still use the
Panorama
Device Deployment
options to install updates on managed collectors.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Collector Groups
Specifies whether the administrator can view, edit, add, or delete Collector Groups.
If you set this privilege to read-only, the administrator can see Collector Groups but can’t manage them.
If you disable this privilege, the administrator can’t see or manage Collector Groups.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
VMware Service Manager
Specifies whether the administrator can view and edit VMware Service Manager settings.
If you set this privilege to read-only, the administrator can see the settings but can’t perform any related configuration or operational procedures.
If you disable this privilege, the administrator can’t see the settings or perform any related configuration or operational procedures.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Certificate Management
Sets the default state, enabled or disabled, for all of the Panorama certificate management privileges.
Panorama: Yes
Device Group/Template: No
Yes
No
Yes
Certificates
Specifies whether the administrator can view, edit, generate, delete, revoke, renew, or export certificates. This privilege also specifies whether the administrator can import or export HA keys.
If you set this privilege to read-only, the administrator can see Panorama certificates but can’t manage the certificates or HA keys.
If you disable this privilege, the administrator can’t see or manage Panorama certificates or HA keys.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Certificate Profile
Specifies whether the administrator can view, add, edit, delete or clone Panorama certificate profiles.
If you set this privilege to read-only, the administrator can see Panorama certificate profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage Panorama certificate profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
SSL/TLS Service Profile
Specifies whether the administrator can view, add, edit, delete or clone SSL/TLS Service profiles.
If you set this privilege to read-only, the administrator can see SSL/TLS Service profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage SSL/TLS Service profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Log Settings
Sets the default state, enabled or disabled, for all the log setting privileges.
Panorama: Yes
Device Group/Template: No
Yes
No
Yes
System
Specifies whether the administrator can see and configure the settings that control the forwarding of System logs to external services (syslog, email, SNMP trap, or HTTP servers).
If you set this privilege to read-only, the administrator can see the System log forwarding settings but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the settings.
This privilege pertains only to System logs that Panorama and Log Collectors generate. The Collector Groups privilege (
Panorama
Collector Groups
) controls forwarding for System logs that Log Collectors receive from firewalls. The
Device
Log Settings
> System privilege controls log forwarding from firewalls directly to external services (without aggregation on Log Collectors).
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Config
Specifies whether the administrator can see and configure the settings that control the forwarding of Config logs to external services (syslog, email, SNMP trap, or HTTP servers).
If you set this privilege to read-only, the administrator can see the Config log forwarding settings but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the settings.
This privilege pertains only to Config logs that Panorama and Log Collectors generate. The Collector Groups privilege (
Panorama
Collector Groups
) controls forwarding for Config logs that Log Collectors receive from firewalls. The
Device
Log Settings
> Configuration privilege controls log forwarding from firewalls directly to external services (without aggregation on Log Collectors).
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
User-ID
Specifies whether the administrator can see and configure the settings that control the forwarding of User-ID logs to external services (syslog, email, SNMP trap, or HTTP servers).
If you set this privilege to read-only, the administrator can see the Config log forwarding settings but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the settings.
This privilege pertains only to User-ID logs that Panorama generates. The Collector Groups privilege (
Panorama
Collector Groups
) controls forwarding for User-ID logs that Log Collectors receive from firewalls. The
Device
Log Settings
> User-ID privilege controls log forwarding from firewalls directly to external services (without aggregation on Log Collectors).
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
HIP Match
Specifies whether the administrator can see and configure the settings that control the forwarding of HIP Match logs from a Panorama virtual appliance in Legacy mode to external services (syslog, email, SNMP trap, or HTTP servers).
If you set this privilege to read-only, the administrator can see the forwarding settings of HIP Match logs but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the settings.
The Collector Groups privilege (
Panorama
Collector Groups
) controls forwarding for HIP Match logs that Log Collectors receive from firewalls. The
Device
Log Settings
> HIP Match privilege controls log forwarding from firewalls directly to external services (without aggregation on Log Collectors).
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Correlation
Specifies whether the administrator can see and configure the settings that control the forwarding of Correlation logs from a Panorama virtual appliance in Legacy mode to external services (syslog, email, SNMP trap, or HTTP servers).
If you set this privilege to read-only, the administrator can see the Correlation log forwarding settings but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the settings.
The Collector Groups privilege (
Panorama
Collector Groups
) controls forwarding of Correlation logs from a Panorama M-Series appliance or Panorama virtual appliance in Panorama mode.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Traffic
Specifies whether the administrator can see and configure the settings that control the forwarding of Traffic logs from a Panorama virtual appliance in Legacy mode to external services (syslog, email, SNMP trap, or HTTP servers).
If you set this privilege to read-only, the administrator can see the forwarding settings of Traffic logs but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the settings.
The Collector Groups privilege (
Panorama
Collector Groups
) controls forwarding for Traffic logs that Log Collectors receive from firewalls. The Log Forwarding privilege (
Objects
Log Forwarding
) controls forwarding from firewalls directly to external services (without aggregation on Log Collectors).
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Threat
Specifies whether the administrator can see and configure the settings that control the forwarding of Threat logs from a Panorama virtual appliance in Legacy mode to external services (syslog, email, SNMP trap, or HTTP servers).
If you set this privilege to read-only, the administrator can see the forwarding settings of Threat logs but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the settings.
The Collector Groups privilege (
Panorama
Collector Groups
) controls forwarding for Threat logs that Log Collectors receive from firewalls. The Log Forwarding privilege (
Objects
Log Forwarding
) controls forwarding from firewalls directly to external services (without aggregation on Log Collectors).
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Wildfire
Specifies whether the administrator can see and configure the settings that control the forwarding of WildFire logs from a Panorama virtual appliance in Legacy mode to external services (syslog, email, SNMP trap, or HTTP servers).
If you set this privilege to read-only, the administrator can see the forwarding settings of WildFire logs but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the settings.
The Collector Groups privilege (
Panorama
Collector Groups
) controls the forwarding for WildFire logs that Log Collectors receive from firewalls. The Log Forwarding privilege (
Objects
Log Forwarding
) controls forwarding from firewalls directly to external services (without aggregation on Log Collectors).
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Server Profiles
Sets the default state, enabled or disabled, for all the server profile privileges.
These privileges pertain only to the server profiles that are used for forwarding logs from Panorama or Log Collectors and the server profiles that are used for authenticating Panorama administrators. The
Device
Server Profiles privileges control access to the server profiles that are used for forwarding logs directly from firewalls to external services and for authenticating firewall administrators.
Panorama: Yes
Device Group/Template: No
Yes
No
Yes
SNMP Trap
Specifies whether the administrator can see and configure SNMP trap server profiles.
If you set this privilege to read-only, the administrator can see SNMP trap server profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage SNMP trap server profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Syslog
Specifies whether the administrator can see and configure Syslog server profiles.
If you set this privilege to read-only, the administrator can see Syslog server profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage Syslog server profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Email
Specifies whether the administrator can see and configure email server profiles.
If you set this privilege to read-only, the administrator can see email server profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage email server profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
RADIUS
Specifies whether the administrator can see and configure the RADIUS server profiles that are used to authenticate Panorama administrators.
If you set this privilege to read-only, the administrator can see the RADIUS server profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the RADIUS server profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
TACACS+
Specifies whether the administrator can see and configure the TACACS+ server profiles that are used to authenticate Panorama administrators.
If you disable this privilege, the administrator can’t see the node or configure settings for the TACACS+ servers that authentication profiles reference.
If you set this privilege to read-only, the administrator can view existing TACACS+ server profiles but can’t add or edit them.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
LDAP
Specifies whether the administrator can see and configure the LDAP server profiles that are used to authenticate Panorama administrators.
If you set this privilege to read-only, the administrator can see the LDAP server profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the LDAP server profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Kerberos
Specifies whether the administrator can see and configure the Kerberos server profiles that are used to authenticate Panorama administrators.
If you set this privilege to read-only, the administrator can see the Kerberos server profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the Kerberos server profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
SAML Identity Provider
Specifies whether the administrator can see and configure the SAML Identity Provider (IdP) server profiles that are used to authenticate Panorama administrators.
If you set this privilege to read-only, the administrator can see the SAML IdP server profiles but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the SAML IdP server profiles.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Scheduled Config Export
Specifies whether the administrator can view, add, edit, delete, or clone scheduled Panorama configuration exports.
If you set this privilege to read-only, the administrator can view the scheduled exports but can’t manage them.
If you disable this privilege, the administrator can’t see or manage the scheduled exports.
Panorama: Yes
Device Group/Template: No
Yes
No
Yes
Software
Specifies whether the administrator can: view information about software updates installed on the Panorama management server; download, upload, or install the updates; and view the associated release notes.
If you set this privilege to read-only, the administrator can view information about Panorama software updates and view the associated release notes but can’t perform any related operations.
If you disable this privilege, the administrator can’t see Panorama software updates, see the associated release notes, or perform any related operations.
The
Panorama
> Device Deployment > Software privilege controls access to PAN-OS software deployed on firewalls and Panorama software deployed on Dedicated Log Collectors.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Dynamic Updates
Specifies whether the administrator can: view information about content updates installed on the Panorama management server (for example, WildFire updates); download, upload, install, or revert the updates; and view the associated release notes.
If you set this privilege to read-only, the administrator can view information about Panorama content updates and view the associated release notes but can’t perform any related operations.
If you disable this privilege, the administrator can’t see Panorama content updates, see the associated release notes, or perform any related operations.
The
Panorama
> Device Deployment > Dynamic Updates privilege controls access to content updates deployed on firewalls and Dedicated Log Collectors.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Support
Specifies whether the administrator can: view Panorama support license information, product alerts, and security alerts; activate a support license, and manage cases. Only a superuser admin can generate Tech Support files.
If you set this privilege to read-only, the administrator can view Panorama support information, product alerts, and security alerts, but can’t activate a support license, generate Tech Support files, or manage cases.
If you disable this privilege, the administrator can’t: see Panorama support information, product alerts, or security alerts; activate a support license, generate Tech Support files, or manage cases.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes
Device Deployment
Sets the default state, enabled or disabled, for all the privileges associated with deploying licenses and software or content updates to firewalls and Log Collectors.
The
Panorama
> Software and
Panorama
> Dynamic Updates privileges control the software and content updates installed on a Panorama management server.
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Software
Specifies whether the administrator can: view information about the software updates installed on firewalls and Log Collectors; download, upload, or install the updates; and view the associated release notes.
If you set this privilege to read-only, the administrator can see information about the software updates and view the associated release notes but can’t deploy the updates to firewalls or dedicated Log Collectors.
If you disable this privilege, the administrator can’t see information about the software updates, see the associated release notes, or deploy the updates to firewalls or Dedicated Log Collectors.
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
GlobalProtect Client
Specifies whether the administrator can: view information about GlobalProtect app software updates on firewalls; download, upload, or activate the updates; and view the associated release notes.
If you set this privilege to read-only, the administrator can see information about GlobalProtect app software updates and view the associated release notes but can’t activate the updates on firewalls.
If you disable this privilege, the administrator can’t see information about GlobalProtect app software updates, see the associated release notes, or activate the updates on firewalls.
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
Dynamic Updates
Specifies whether the administrator can: view information about the content updates (for example, Applications updates) installed on firewalls and Dedicated Log Collectors; download, upload, or install the updates; and view the associated release notes.
If you set this privilege to read-only, the administrator can see information about the content updates and view the associated release notes but can’t deploy the updates to firewalls or Dedicated Log Collectors.
If you disable this privilege, the administrator can’t see information about the content updates, see the associated release notes, or deploy the updates to firewalls or Dedicated Log Collectors.
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
Licenses
Specifies whether the administrator can view, refresh, and activate firewall licenses.
If you set this privilege to read-only, the administrator can view firewall licenses but can’t refresh or activate those licenses.
If you disable this privilege, the administrator can’t view, refresh, or activate firewall licenses.
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
Master Key and Diagnostics
Specifies whether the administrator can view and configure a master key by which to encrypt private keys on Panorama.
If you set this privilege to read-only, the administrator can view the Panorama master key configuration but can’t change it.
If you disable this privilege, the administrator can’t see or edit the Panorama master key configuration.
Panorama: Yes
Device Group/Template: No
Yes
Yes
Yes

Related Documentation