1. Home
    2. PAN-OS
    3. PAN-OS® Web Interface Reference
    4. Panorama Web Interface
    5. Panorama > Access Domains
    End-of-Life (EoL)

    Panorama > Access Domains

    Access domains control the access that Device Group and Template administrators have to specific device groups (to manage policies and objects), to templates (to manage network and device settings), and to the web interface of managed firewalls (through context switching). You can define up to 4,000 access domains and manage them locally or by using RADIUS Vendor-Specific Attributes (VSAs), TACACS+ VSAs, or SAML attributes. To create an access domain,
    Add
     a domain and configure the settings as described in the following table.
    Access Domain Settings
    Description
    Name
    Enter a name for the access domain (up to 31 characters). The name is case-sensitive, must be unique, and can contain only letters, numbers, hyphens, and underscores.
    Shared Objects
    Select one of the following access privileges for the objects that device groups in this access domain inherit from the Shared location. Regardless of privilege, administrators can’t override shared or default (predefined) objects.
    • read
      —Administrators can display and clone shared objects but cannot perform any other operations on them. When adding non-shared objects or cloning shared objects, the destination must be a device group within the access domain, not Shared.
    • write
      —Administrators can perform all operations on shared objects. This is the default value.
    • shared-only
      —Administrators can add objects only to Shared. Administrators can also display, edit, and delete shared objects but cannot move or clone them. A consequence of this selection is that administrators cannot perform any operations on non-shared objects other than to display them.
    Device Groups
    Enable or disable read-write access for specific device groups in the access domain. You can also click
    Enable All
     or
    Disable All
    . Enabling read-write access for a device group automatically enables the same access for its descendants. If you manually disable a descendant, access for its highest ancestor automatically changes to read-only. By default, access is disabled for all device groups.
    If you want the list to display only specific device groups, select the device group names and
    Filter Selected
    .
    If you set the access for shared objects to
    shared-only
    , Panorama applies read-only access to any device groups for which you specify read-write access.
    Templates
    For each template or template stack you want to assign, click
    Add
     and select it from the drop-down.
    Device Context
    (
    Corresponds to the Device/Virtual Systems column in the Access Domain page
    )
    Select the firewalls to which the administrator can switch context for performing local configuration. If the list is long, you can filter by
    Device State
    ,
    Platforms
    ,
    Device Groups
    ,
    Templates
    ,
    Tags
    , and
    HA Status
    .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo