Configure Administrative Access to the ESM Console Using the DB Configuration Tool

When you install the ESM Console, you specify the administrative account and type of authentication (machine or domain) that you will use for initial access to the ESM Console. From the ESM Console, you can then configure role-based access control to define Administrative Roles to assign to Administrative Users (and/or groups). This enables you to enforce the separation of information among functional or regional areas of your organization to protect the privacy of data on the ESM Console. For more information, see Manage Administrator Access to the ESM Console.
If after setting up role-based access you have difficulty accessing the ESM Console and need to verify or change administrative account settings, you can use a command line interface (CLI) called the DB Configuration Tool. This allows you to manage basic ESM Console settings including the administrative users that have access to the ESM Console, and the authentication mode by which to authenticate them. The DB Configuration Tool does not validate or authenticate the users and only provides a mechanism for making changes when you cannot do so using the ESM Console.
To enforce role-based access control, use the ESM Console to make changes to administrative access, when possible.
You can access the DB Configuration Tool using a Microsoft MS-DOS command prompt that you run as an administrator. The DB Configuration Tool is located in the
Server
folder on the ESM Server.
All commands you run using the DB Configuration Tool are case sensitive.
  1. Open a command prompt as an administrator in either of two ways:
    • Select
      Start
      All Programs
      Accessories
      , right-click
      Command prompt
      , and then select
      Run as administrator
      .
    • Select
      Start
      and, in the
      Start Search
      box, type
      cmd
      but do not press
      Enter
      , yet. Then, to open the command prompt as an administrator, press
      Ctrl
      +
      Shift
      +
      Enter
      .
  2. Navigate to the folder that contains the DB Configuration Tool:
    C:\Users\Administrator>
    cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server
  3. (
    Optional
    ) View the existing administrator settings:
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server>
    dbconfig usermanagement show
    AuthMode = Machine AllowedUsers = Administrator AllowedGroups =
  4. (
    Optional
    ) Specify the authentication mode: either
    domain
    or
    machine
    .
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server>
    dbconfig usermanagement AuthMode [domain|machine]
  5. (
    Optional
    ) Add an administrative user.
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server>
    dbconfig usermanagement AllowedUsers <newuser>
    Repeat this step to add additional administrative users. The DB Configuration Tool appends the usernames to the existing list of administrative users.
    To remove administrative users, you must use the ESM Console.

Related Documentation