The administrative accounts are defined
on an external SAML, TACACS+,
or RADIUS server.
The server performs both authentication and authorization. For authorization,
you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS
server, or SAML attributes on the SAML server. PAN-OS maps the attributes
to administrator roles, access domains, user groups, and virtual
systems that you define on the firewall. For details, see: