Configure an Admin Role Profile
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure an Admin Role Profile
Admin Role profiles enable you to define granular
administrative access privileges to ensure protection for sensitive
company information and privacy for end users.
Follow the principle of least privilege
access to create Admin Role profiles that enable administrators
to access only the areas of the management interface that they need
to access to perform their jobs and follow Administrative Access Best Practices.
You can create an Admin Role profile, specify that the role applies to Virtual
System, and then select Web UI, for example, and choose the part of the
configuration that the administrator can control within a virtual system. Click OK
to save the Admin Role Profile. Then select DeviceAdministrators, name the role, select Role Based, enter the name of the Admin Role
Profile, and select the virtual system that the administrator can control. The MGT
interface doesn't give full access to the firewall; access is controlled by the
Admin Role.
If the Admin Role Profile is based on Virtual System, that administrator won't have
control over a virtual router. Only a subset of the Network options are available in
a Virtual System role, and virtual router isn't one of the included options. If you
want virtual router available in an Admin Role Profile, the role must be Device, not
Virtual System. (You can define a superuser Administrator to have both Virtual
System and Virtual Router access.)
You can create a second Admin Role Profile, specify that the role applies to Device,
and then select portions under Network, such as Virtual Routers. Name the Admin Role
Profile, and then apply it to a different administrator.
You might have different departments that have different functions. Based on the
login, the administrator gets the right to control the objects enabled in the Admin
Role Profile.
In summary, you can't define a Virtual System Admin Role profile that includes
routing (Virtual Router). You can create two accounts to have these separate roles
and assign them to two different users. An Administrator account can have only one
Admin Role profile.
The MGT interface can have role-based access; it doesn't strictly provide full access
to the device. The login account (Admin Role) is what gives a user rights or limited
access to the objects, not the MGT interface.
- Select DeviceAdmin Roles and click Add.
- Enter a Name to identify the role.
- For the scope of the Role, select Device or Virtual System.
- In the Web UI and REST API tabs, click the icon for each functional area to toggle it to the desired setting: Enable, Read Only or Disable. For the XML API tab select, Enable or Disable. For details on the Web UI options, see Web Interface Access Privileges.
- Select the Command Line tab and select a CLI access option. The Role scope controls the available options:
- Device role:
- None—CLI access is not permitted (default).
- superuser—Full access. Can define new administrator accounts and virtual systems. Only a superuser can create administrator users with superuser privileges.
- superreader—Full read-only access.
- deviceadmin—Full access to all settings except defining new accounts or virtual systems.
- devicereader—Read-only access to all settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
- Virtual System role:
- None—Access is not permitted (default).
- vsysadmin—Access to specific virtual systems to create and manage specific aspects of virtual systems. Does not enable access to firewall-level or network-level functions including static and dynamic routing, interface IP addresses, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DCHP, DNS Proxy, QoS, LLDP, or network profiles.
- vsysreader—Read-only access to specific virtual systems to specific aspects of virtual systems. Does not enable access to firewall-level or network-level functions including static and dynamic routing, interface IP addresses, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DCHP, DNS Proxy, QoS, LLDP, or network profiles.
- Click OK to save the profile.
- Assign the role to an administrator. See Configure a Firewall Administrator Account.
Example Admin Role Profile Construction
This example shows an Admin Role profile for
a Security Operations Center (SOC) manager who needs access to investigate
potential issues. The SOC Manager needs read access to many areas
of the firewall, but generally doesn’t need write access. The example
covers all four of the Admin Role Profile’s tabs and each step describes
why the profile enables or disables a particular area of access
to the SOC manager.
This is an example profile for a
fictional SOC manager. Configure Admin Role profiles for your administrators
based on the functions they manage and the access required to do
their job. Do not enable unnecessary access. Create separate profiles
for each administrative group that shares the same duties and for
administrators who have unique duties. Each administrator should
have the exact level of access required to perform their duties
and no access beyond that.
- Configure Web UI access permissions. Each snip of the Web UI screen shows a different area of Web UI permissions. Permissions are listed by firewall tab, in the order you see the tabs in the Web UI, followed by permissions for other actions.The Dashboard, ACC, and MonitorLogs areas of the firewall don’t contain configuration elements—all of the objects are informational (you can only toggle them between enable and disable because they are already read only). Because the SOC Manager needs to investigate potential issues, the SOC Manager needs access to the information on these tabs.The profile name and description make it easy to understand the profile’s objective. This snip doesn’t show all of the Logs permissions, but all of them are enabled for this profile.The next snip shows permissions for more informational objects on the Monitor tab. The SOC Manager uses these tools to investigate potential issues and therefore requires access.The next two snips show permissions for PDF Reports, Custom Reports, and predefined reports on the Monitor tab. While the SOC Manager needs access to PDF reports to gather information, in this example, the SOC Manager does not need to configure reports, so access is set to read-only (summary reports are not configurable). However, the SOC Manager needs to manage custom reports to investigate specific potential issues, so full access permissions are granted for all custom reports (including those not shown in the snip). Finally the SOC Manager requires access to predefined reports for investigating potential issues.Because the SOC Manager is an investigator and not an administrator who configures the firewall, permissions for the Policies tab are read-only, with the exception of resetting the rule hit count. Resetting the rule hit count is not one of the SOC Manager’s duties (and changing the hit count could adversely affect or confuse other administrators), so access is disabled. Read access enables the SOC Manager to investigate the construction of a policy that the SOC Manager suspects may have caused an issue.Permissions for the Objects tab are also read-only for the same reason—the SOC Manager’s job doesn’t require configuration, so no configuration permissions are assigned. For areas that aren’t included in the SOC Manager’s duties, access is disabled. In this example, the SOC Manager has read-only access to investigate objects configurations for all objects except URL Filtering, SD-WAN Link Management and Schedules, which are under the control of different administrators in this example.For Network tab permissions, the scenario is similar: the SOC Manager doesn’t need to configure any of the objects, but may need information to investigate issues, so read-only access is assigned to the areas that the SOC Manager may need to investigate. In this example, access is disabled for QoS, LLDP, Network Profiles, or SD-WAN Interface profiles because these items are not part of the SOC Manager’s duties.In this example, the SOC Manager needs no access to the Device tab capabilities for investigative purposes, so all Device tab permissions are blocked. In addition, investigation doesn’t require commit actions or access to any of the remaining actions, so those permissions are also blocked.
- Configure XML API access permissions.The following snip shows that all XML API permissions are disabled for the SOC Manager because the SOC Manager doesn’t access the firewall using XML API commands.
- Configure Command Line (CLI) access permissions.CLI access permissions are read-only for the SOC Manager because the SOC Manager needs access to logs and other monitoring tools and also needs to be able to see certain configurations in order to investigate potential issues. However, the SOC Manager doesn’t configure the firewall, so no configuration permissions are assigned. The access level is set to devicereader instead of to superreader because the SOC Manager doesn’t need access to password profiles or to other administrative accounts.
- Configure REST API access permissions.The SOC Manager doesn’t access the firewall using REST API commands, so all REST API access is disabled.