Privilege levels determine which commands an administrator can run as well as what information is viewable. Each administrative role has an associated privilege level. You can use dynamic roles, which are predefined roles that provide default privilege levels. Or, you can create custom firewall administrator roles or Panorama administrator roles and assign one of the following CLI privilege levels to each role:
You must follow the Best Practices for Securing Admin Access to ensure that you are securing access to your management network in a way that will prevent successful attacks.
Has full access to the Palo Alto Networks device (firewall or Panorama) and can define new administrator accounts and virtual systems. You must have superuser privileges to create an administrative user with superuser privileges.
Has complete read-only access to the device.
Has access to selected virtual systems (vsys) on the firewall to create and manage specific aspects of virtual systems. A virtual system administrator doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Has read-only access to selected virtual systems on the firewall and specific aspects of virtual systems. A virtual system administrator with read-only access doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Has full access to all firewall settings except for defining new accounts or virtual systems.
Has read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
Has full access to Panorama except for the following actions:
Administrative Role Types
Administrative Role Types A role defines the type of access that an administrator has to the firewall. The Administrator Types are: Role Based —Custom roles ...
Device > Admin Roles
Device > Admin Roles Select Device Admin Roles to define Admin Role profiles, which are custom roles that determine the access privileges and responsibilities of ...
Administrative Roles for Virtual Systems
Administrative Roles for Virtual Systems A superuser administrator can create virtual systems and add a Device Administrator , vsysadmin , or vsysreader . A Device ...
Device > Administrators
Device > Administrators Administrator accounts control access to firewalls and Panorama. A firewall administrator can have full or read-only access to a single firewall or ...
Provide Granular Access to the Device Tab
Provide Granular Access to the Device Tab To define granular access privileges for the Device tab, when creating or editing an admin role profile ( ...
Give Administrators Access to the CLI
Give Administrators Access to the CLI Administrative accounts specify roles and authentication methods for the administrators of Palo Alto Networks firewalls. Every Palo Alto Networks ...
Administrative Roles You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required ...
Reference: Web Interface Administrator Access
Reference: Web Interface Administrator Access You can configure privileges for an entire firewall or for one or more virtual systems (on platforms that support multiple ...
WildFire Appliance Privilege Levels
WildFire Appliance Privilege Levels Privilege levels determine which commands the user is permitted to execute and the information the user is permitted to view. Level ...