Device > Admin Roles
Select DeviceAdmin Roles to define Admin Role profiles, which are custom roles that determine the access privileges and responsibilities of administrative users. You assign Admin Role profiles or dynamic roles when you create administrative accounts (Device>Administrators).
To define Admin Role profiles for Panorama administrators, see Panorama > Managed Devices > Summary.
The firewall has three predefined roles you can use for common criteria purposes. You first use the superuser role for initial firewall configuration and to create the administrator accounts for the Security Administrator, Audit Administrator, and Cryptographic Administrator. After you create these accounts and apply the proper common criteria Admin Roles, you then log in using those accounts. The default superuser account in Federal Information Processing Standard (FIPS)/Common Criteria (CC) FIPS-CC mode is admin and the default password is paloalto. In standard operating mode, the default admin password is admin. The predefined Admin Roles were created where there is no overlap in capabilities, except that all have read-only access to the audit trail (except audit administrator with full read/delete access. These admin roles cannot be modified and are defined as follows:
- auditadmin—The Audit Administrator is responsible for the regular review of the firewall’s audit data.
- cryptoadmin—The Cryptographic Administrator is responsible for the configuration and maintenance of cryptographic elements related to the establishment of secure connections to the firewall.
- securityadmin—The Security Administrator is responsible for all other administrative tasks (such as creating Security policy) not addressed by the other two administrative roles.
To add an Admin Role profile, click Add and specify the settings described in the following table.
Create custom roles to limit administrator access to only what each type of administrator needs. For each type of administrator, enable, disable, or set read-only access for Web UI, XML/REST API, and Command Line access.
Administrator Role Settings
Enter a name to identify this administrator role (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
(Optional) Enter a description for the role (up to 255 characters).
Select the scope of administrative responsibility:
Click the icons for specific web interface features to set the permitted access privileges:
Click the icons for specific XML/REST API features to set the permitted access privileges (Enable, Read Only, or Disable).
Select the type of role for CLI access. The default is None, which means access to the CLI is not permitted. The other options vary by Role scope:
Administrative Privileges Privilege levels determine which commands an administrator can run as well as what information is viewable. Each administrative role has an associated privilege ...
Administrative Roles for Virtual Systems
Administrative Roles for Virtual Systems A Superuser administrator can create virtual systems and add a Device administrator , vsysadmin , or vsysreader . A Device ...
Administrative Role Types
Administrative Role Types A role defines the type of access that an administrator has to the firewall. The Administrator Types are: Role Based —Custom roles ...
Device > Administrators
Device > Administrators Administrator accounts control access to firewalls and Panorama. A firewall administrator can have full or read-only access to a single firewall or ...
Administrative Roles You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required ...
Panorama > Admin Roles
Panorama > Admin Roles Admin Role profiles are custom roles that define the access privileges and responsibilities of administrators. For example, the roles assigned to ...
Panorama > Administrators
Panorama > Administrators Select Panorama Administrators to create and manage accounts for Panorama administrators. If you log in to Panorama as an administrator with a ...
Configure Administrative Access Per Virtual System or Firew...
Configure Administrative Access Per Virtual System or Firewall If you have a superuser administrative account, you can create and configure granular permissions for a vsysadmin ...
Manage Firewall Administrators
Manage Firewall Administrators Administrative accounts specify roles and authentication methods for the administrators of Palo Alto Networks firewalls. Every Palo Alto Networks firewall has a ...