Provide Granular Access to the Device Tab

To define granular access privileges for the Device tab, when creating or editing an admin role profile (DeviceAdmin Roles), scroll down to the Device node on the WebUI tab.
Access Level
Description
Enable
Read Only
Disable
Setup
Controls access to the Setup node. If you disable this privilege, the administrator will not see the Setup node or have access to firewall-wide setup configuration information, such as Management, Operations, Service, Content-ID, WildFire or Session setup information.
If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
Yes
Yes
Yes
Management
Controls access to the Management node. If you disable this privilege, the administrator will not be able to configure settings such as the hostname, domain, timezone, authentication, logging and reporting, Panorama connections, banner, message, and password complexity settings, and more.
If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
Yes
Yes
Yes
Operations
Controls access to the Operations and Telemetry and Threat Intelligence nodes. If you disable this privilege, the administrator cannot:
  • Load firewall configurations.
  • Save or revert the firewall configuration.
    This privilege applies only to the DeviceOperations options. The Save and Commit privileges control whether the administrator can save or revert configurations through the ConfigSave and ConfigRevert options.
  • Create custom logos.
  • Configure SNMP monitoring of firewall settings.
  • Configure the Statistics Service feature.
  • Configure Telemetry and Threat Intelligence settings.
Only administrators with the predefined Superuser role can export or import firewall configurations and shut down the firewall.
Only administrators with the predefined Superuser or Device Administrator role can reboot the firewall or restart the dataplane.
Administrators with a role that allows access only to specific virtual systems cannot load, save, or revert firewall configurations through the DeviceOperations options.
Yes
Yes
Yes
Services
Controls access to the Services node. If you disable this privilege, the administrator will not be able to configure services for DNS servers, an update server, proxy server, or NTP servers, or set up service routes.
If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
Yes
Yes
Yes
Content-ID
Controls access to the Content-ID node. If you disable this privilege, the administrator will not be able to configure URL filtering or Content-ID.
If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
Yes
Yes
Yes
WildFire
Controls access to the WildFire node. If you disable this privilege, the administrator will not be able to configure WildFire settings.
If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
Yes
Yes
Yes
Session
Controls access to the Session node. If you disable this privilege, the administrator will not be able to configure session settings or timeouts for TCP, UDP or ICMP, or configure decryption or VPN session settings.
If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
Yes
Yes
Yes
HSM
Controls access to the HSM node. If you disable this privilege, the administrator will not be able to configure a Hardware Security Module.
If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.
Yes
Yes
Yes
High Availability
Controls access to the High Availability node. If you disable this privilege, the administrator will not see the High Availability node or have access to firewall-wide high availability configuration information such as General setup information or Link and Path Monitoring.
If you set this privilege to read-only, the administrator can view High Availability configuration information for the firewall but is not allowed to perform any configuration procedures.
Yes
Yes
Yes
Config Audit
Controls access to the Config Audit node. If you disable this privilege, the administrator will not see the Config Audit node or have access to any firewall-wide configuration information.
Yes
No
Yes
Administrators
Controls access to the Administrators node. This function can only be allowed for read-only access.
If you disable this privilege, the administrator will not see the Administrators node or have access to information about their own administrator account.
If you set this privilege to read-only, the administrator can view the configuration information for their own administrator account. They will not see any information about other administrator accounts configured on the firewall.
No
Yes
Yes
Admin Roles
Controls access to the Admin Roles node. This function can only be allowed for read-only access.
If you disable this privilege, the administrator will not see the Admin Roles node or have access to any firewall-wide information concerning Admin Role profiles configuration.
If you set this privilege to read-only, you can view the configuration information for all administrator roles configured on the firewall.
No
Yes
Yes
Authentication Profile
Controls access to the Authentication Profile node. If you disable this privilege, the administrator will not see the Authentication Profile node or be able to create or edit authentication profiles that specify RADIUS, TACACS+, LDAP, Kerberos, SAML, multi-factor authentication (MFA), or local database authentication settings. PAN-OS uses authentication profiles to authenticate firewall administrators and Captive Portal or GlobalProtect end users.
If you set this privilege to read-only, the administrator can view the Authentication Profile information but cannot create or edit authentication profiles.
Yes
Yes
Yes
Authentication Sequence
Controls access to the Authentication Sequence node. If you disable this privilege, the administrator will not see the Authentication Sequence node or be able to create or edit an authentication sequence.
If you set this privilege to read-only, the administrator can view the Authentication Profile information but cannot create or edit an authentication sequence.
Yes
Yes
Yes
Virtual Systems
Controls access to the Virtual Systems node. If you disable this privilege, the administrator will not see or be able to configure virtual systems.
If the privilege state is set to read-only, you can view the currently configured virtual systems but cannot add or edit a configuration.
Yes
Yes
Yes
Shared Gateways
Controls access to the Shared Gateways node. Shared gateways allow virtual systems to share a common interface for external communications.
If you disable this privilege, the administrator will not see or be able to configure shared gateways.
If the privilege state is set to read-only, you can view the currently configured shared gateways but cannot add or edit a configuration.
Yes
Yes
Yes
User Identification
Controls access to the User Identification node. If you disable this privilege, the administrator will not see the User Identification node or have access to firewall-wide User Identification configuration information, such as User Mapping, Connection Security, User-ID Agents, Terminal Services Agents, Group Mappings Settings, or Captive Portal Settings.
If you set this privilege to read-only, the administrator can view configuration information for the firewall but is not allowed to perform any configuration procedures.
Yes
Yes
Yes
VM Information Source
Controls access to the VM Information Source node that allows you to configure the firewall/Windows User-ID agent to collect VM inventory automatically. If you disable this privilege, the administrator will not see the VM Information Source node.
If you set this privilege to read-only, the administrator can view the VM information sources configured but cannot add, edit, or delete any sources.
This privilege is not available to Device Group and Template administrators.
Yes
Yes
Yes
Certificate Management
Sets the default state to enable or disable for all of the Certificate settings described below.
Yes
No
Yes
Certificates
Controls access to the Certificates node. If you disable this privilege, the administrator will not see the Certificates node or be able to configure or access information regarding Device Certificates or Default Trusted Certificate Authorities.
If you set this privilege to read-only, the administrator can view Certificate configuration information for the firewall but is not allowed to perform any configuration procedures.
Yes
Yes
Yes
Certificate Profile
Controls access to the Certificate Profile node. If you disable this privilege, the administrator will not see the Certificate Profile node or be able to create certificate profiles.
If you set this privilege to read-only, the administrator can view Certificate Profiles that are currently configured for the firewall but is not allowed to create or edit a certificate profile.
Yes
Yes
Yes
OCSP Responder
Controls access to the OCSP Responder node. If you disable this privilege, the administrator will not see the OCSP Responder node or be able to define a server that will be used to verify the revocation status of certificates issues by the firewall.
If you set this privilege to read-only, the administrator can view the OCSP Responder configuration for the firewall but is not allowed to create or edit an OCSP responder configuration.
Yes
Yes
Yes
SSL/TLS Service Profile
Controls access to the SSL/TLS Service Profile node.
If you disable this privilege, the administrator will not see the node or configure a profile that specifies a certificate and a protocol version or range of versions for firewall services that use SSL/TLS.
If you set this privilege to read-only, the administrator can view existing SSL/TLS Service profiles but cannot create or edit them.
Yes
Yes
Yes
SCEP
Controls access to the SCEP node. If you disable this privilege, the administrator will not see the node or be able to define a profile that specifies simple certificate enrollment protocol (SCEP) settings for issuing unique device certificates.
If you set this privilege to read-only, the administrator can view existing SCEP profiles but cannot create or edit them.
Yes
Yes
Yes
SSL Decryption Exclusion
Controls access to the SSL Decryption Exclusion node. If you disable this privilege, the administrator will not see the node or be able see the SSL decryption add custom exclusions.
If you set this privilege to read-only, the administrator can view existing SSL decryption exceptions but cannot create or edit them.
Yes
Yes
Yes
Response Pages
Controls access to the Response Pages node. If you disable this privilege, the administrator will not see the Response Page node or be able to define a custom HTML message that is downloaded and displayed instead of a requested web page or file.
If you set this privilege to read-only, the administrator can view the Response Page configuration for the firewall but is not allowed to create or edit a response page configuration.
Yes
Yes
Yes
Log Settings
Sets the default state to enable or disable for all of the Log settings described below.
Yes
No
Yes
System
Controls access to the Log SettingsSystem node. If you disable this privilege, the administrator cannot see the Log SettingsSystem node or specify which System logs the firewall forwards to Panorama or external services (such as a syslog server).
If you set this privilege to read-only, the administrator can view the Log SettingsSystem settings for the firewall but cannot add, edit, or delete the settings.
Yes
Yes
Yes
Configuration
Controls access to the Log SettingsConfiguration node. If you disable this privilege, the administrator cannot see the Log SettingsConfiguration node or specify which Configuration logs the firewall forwards to Panorama or external services (such as a syslog server).
If you set this privilege to read-only, the administrator can view the Log SettingsConfiguration settings for the firewall but cannot add, edit, or delete the settings.
Yes
Yes
Yes
User-ID
Controls access to the Log SettingsUser-ID node. If you disable this privilege, the administrator cannot see the Log SettingsUser-ID node or specify which User-ID logs the firewall forwards to Panorama or external services (such as a syslog server).
If you set this privilege to read-only, the administrator can view the Log SettingsUser-ID settings for the firewall but cannot add, edit, or delete the settings.
Yes
Yes
Yes
HIP Match
Controls access to the Log SettingsHIP Match node. If you disable this privilege, the administrator cannot see the Log SettingsHIP Match node or specify which Host Information Profile (HIP) match logs the firewall forwards to Panorama or external services (such as a syslog server). HIP match logs provide information on Security policy rules that apply to GlobalProtect endpoints
If you set this privilege to read-only, the administrator can view the Log SettingsHIP settings for the firewall but cannot add, edit, or delete the settings.
Yes
Yes
Yes
Correlation
Controls access to the Log SettingsCorrelation node. If you disable this privilege, the administrator cannot see the Log SettingsCorrelation node or add, delete, or modify correlation log forwarding settings or tag source or destination IP addresses.
If you set this privilege to read-only, the administrator can view the Log SettingsCorrelation settings for the firewall but cannot add, edit, or delete the settings.
Yes
Yes
Yes
Alarm Settings
Controls access to the Log SettingsAlarm Settings node. If you disable this privilege, the administrator cannot see the Log SettingsAlarm Settings node or configure notifications that the firewall generates when a Security policy rule (or group of rules) is hit repeatedly within a configurable time period.
If you set this privilege to read-only, the administrator can view the Log SettingsAlarm Settings for the firewall but cannot edit the settings.
Yes
Yes
Yes
Manage Logs
Controls access to the Log SettingsManage Logs node. If you disable this privilege, the administrator cannot see the Log SettingsManage Logs node or clear the indicated logs.
If you set this privilege to read-only, the administrator can view the Log SettingsManage Logs information but cannot clear any of the logs.
Yes
Yes
Yes
Server Profiles
Sets the default state to enable or disable for all of the Server Profiles settings described below.
Yes
No
Yes
SNMP Trap
Controls access to the Server ProfilesSNMP Trap node. If you disable this privilege, the administrator will not see the Server ProfilesSNMP Trap node or be able to specify one or more SNMP trap destinations to be used for system log entries.
If you set this privilege to read-only, the administrator can view the Server ProfilesSNMP Trap Logs information but cannot specify SNMP trap destinations.
Yes
Yes
Yes
Syslog
Controls access to the Server ProfilesSyslog node. If you disable this privilege, the administrator will not see the Server ProfilesSyslog node or be able to specify one or more syslog servers.
If you set this privilege to read-only, the administrator can view the Server ProfilesSyslog information but cannot specify syslog servers.
Yes
Yes
Yes
Email
Controls access to the Server ProfilesEmail node. If you disable this privilege, the administrator will not see the Server ProfilesEmail node or be able to configure an email profile that can be used to enable email notification for system and configuration log entries.
If you set this privilege to read-only, the administrator can view the Server ProfilesEmail information but cannot configure an email server profile.
Yes
Yes
Yes
HTTP
Controls access to the Server ProfilesHTTP node. If you disable this privilege, the administrator will not see the Server ProfilesHTTP node or be able to configure an HTTP server profile that can be used to enable log forwarding to HTTP destinations any log entries.
If you set this privilege to read-only, the administrator can view the Server ProfilesHTTP information but cannot configure an HTTP server profile.
Yes
Yes
Yes
Netflow
Controls access to the Server ProfilesNetflow node. If you disable this privilege, the administrator will not see the Server ProfilesNetflow node or be able to define a NetFlow server profile, which specifies the frequency of the export along with the NetFlow servers that will receive the exported data.
If you set this privilege to read-only, the administrator can view the Server ProfilesNetflow information but cannot define a Netflow profile.
Yes
Yes
Yes
RADIUS
Controls access to the Server ProfilesRADIUS node. If you disable this privilege, the administrator will not see the Server ProfilesRADIUS node or be able to configure settings for the RADIUS servers that are identified in authentication profiles.
If you set this privilege to read-only, the administrator can view the Server ProfilesRADIUS information but cannot configure settings for the RADIUS servers.
Yes
Yes
Yes
TACACS+
Controls access to the Server ProfilesTACACS+ node.
If you disable this privilege, the administrator will not see the node or configure settings for the TACACS+ servers that authentication profiles reference.
If you set this privilege to read-only, the administrator can view existing TACACS+ server profiles but cannot add or edit them.
Yes
Yes
Yes
LDAP
Controls access to the Server ProfilesLDAP node. If you disable this privilege, the administrator will not see the Server ProfilesLDAP node or be able to configure settings for the LDAP servers to use for authentication by way of authentication profiles.
If you set this privilege to read-only, the administrator can view the Server ProfilesLDAP information but cannot configure settings for the LDAP servers.
Yes
Yes
Yes
Kerberos
Controls access to the Server ProfilesKerberos node. If you disable this privilege, the administrator will not see the Server ProfilesKerberos node or configure a Kerberos server that allows users to authenticate natively to a domain controller.
If you set this privilege to read-only, the administrator can view the Server ProfilesKerberos information but cannot configure settings for Kerberos servers.
Yes
Yes
Yes
SAML Identity Provider
Controls access to the Server ProfilesSAML Identity Provider node. If you disable this privilege, the administrator cannot see the node or configure SAML identity provider (IdP) server profiles.
If you set this privilege to read-only, the administrator can view the Server ProfilesSAML Identity Provider information but cannot configure SAML IdP server profiles.
Yes
Yes
Yes
Multi Factor Authentication
Controls access to the Server ProfilesMulti Factor Authentication node. If you disable this privilege, the administrator cannot see the node or configure multi-factor authentication (MFA) server profiles.
If you set this privilege to read-only, the administrator can view the Server ProfilesSAML Identity Provider information but cannot configure MFA server profiles.
Local User Database
Sets the default state to enable or disable for all of the Local User Database settings described below.
Yes
No
Yes
Users
Controls access to the Local User DatabaseUsers node. If you disable this privilege, the administrator will not see the Local User DatabaseUsers node or set up a local database on the firewall to store authentication information for remote access users, firewall administrators, and Captive Portal users.
If you set this privilege to read-only, the administrator can view the Local User DatabaseUsers information but cannot set up a local database on the firewall to store authentication information.
Yes
Yes
Yes
User Groups
Controls access to the Local User DatabaseUsers node. If you disable this privilege, the administrator will not see the Local User DatabaseUsers node or be able to add user group information to the local database.
If you set this privilege to read-only, the administrator can view the Local User DatabaseUsers information but cannot add user group information to the local database.
Yes
Yes
Yes
Access Domain
Controls access to the Access Domain node. If you disable this privilege, the administrator will not see the Access Domain node or be able to create or edit an access domain.
If you set this privilege to read-only, the administrator can view the Access Domain information but cannot create or edit an access domain.
Yes
Yes
Yes
Scheduled Log Export
Controls access to the Scheduled Log Export node. If you disable this privilege, the administrator will not see the Scheduled Log Export node or be able schedule exports of logs and save them to a File Transfer Protocol (FTP) server in CSV format or use Secure Copy (SCP) to securely transfer data between the firewall and a remote host.
If you set this privilege to read-only, the administrator can view the Scheduled Log Export Profile information but cannot schedule the export of logs.
Yes
No
Yes
Software
Controls access to the Software node. If you disable this privilege, the administrator will not see the Software node or view the latest versions of the PAN-OS software available from Palo Alto Networks, read the release notes for each version, and select a release to download and install.
If you set this privilege to read-only, the administrator can view the Software information but cannot download or install software.
Yes
Yes
Yes
GlobalProtect Client
Controls access to the GlobalProtect Client node. If you disable this privilege, the administrator will not see the GlobalProtect Client node or view available GlobalProtect releases, download the code or activate the GlobalProtect app.
If you set this privilege to read-only, the administrator can view the available GlobalProtect Client releases but cannot download or install the app software.
Yes
Yes
Yes
Dynamic Updates
Controls access to the Dynamic Updates node. If you disable this privilege, the administrator will not see the Dynamic Updates node or be able to view the latest updates, read the release notes for each update, or select an update to upload and install.
If you set this privilege to read-only, the administrator can view the available Dynamic Updates releases, read the release notes but cannot upload or install the software.
Yes
Yes
Yes
Licenses
Controls access to the Licenses node. If you disable this privilege, the administrator will not see the Licenses node or be able to view the licenses installed or activate licenses.
If you set this privilege to read-only, the administrator can view the installed Licenses, but cannot perform license management functions.
Yes
Yes
Yes
Support
Controls access to the Support node. If you disable this privilege, the administrator cannot see the Support node, activate support, or access production and security alerts from Palo Alto Networks.
If you set this privilege to read-only, the administrator can see the Support node and access production and security alerts but cannot activate support.
Only administrators with the predefined Superuser role can use the Support node to generate tech support files or generate and download stats dump and core files.
Yes
Yes
Yes
Master Key and Diagnostics
Controls access to the Master Key and Diagnostics node. If you disable this privilege, the administrator will not see the Master Key and Diagnostics node or be able to specify a master key to encrypt private keys on the firewall.
If you set this privilege to read-only, the administrator can view the Master Key and Diagnostics node and view information about master keys that have been specified but cannot add or edit a new master key configuration.
Yes
Yes
Yes

Related Documentation