Focus

Configure an Admin Role Profile

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Administrative Role Types

Administrative Authentication

Configure an Admin Role Profile

Admin Role profiles enable you to define granular administrative access privileges to ensure protection for sensitive company information and privacy for end users.

As a best practice, create Admin Role profiles that allow administrators to access only the areas of the management interfaces that they need to access to perform their jobs.

You can create an Admin Role profile, specify that the role applies to Virtual System, and then select Web UI, for example, and choose the part of the configuration that the administrator can control within a virtual system. Click OK to save the Admin Role Profile. Then select DeviceAdministrators, name the role, select Role Based, enter the name of the Admin Role Profile, and select the virtual system that the administrator can control. The MGT interface doesn't give full access to the firewall; access is controlled by the Admin Role.

If the Admin Role Profile is based on Virtual System, that administrator won't have control over a virtual router. Only a subset of the Network options are available in a Virtual System role, and virtual router isn't one of the included options. If you want virtual router available in an Admin Role Profile, the role must be Device, not Virtual System. (You can define a superuser Administrator to have both Virtual System and Virtual Router access.)

You can create a second Admin Role Profile, specify that the role applies to Device, and then select portions under Network, such as Virtual Routers. Name the Admin Role Profile, and then apply it to a different administrator.

You might have different departments that have different functions. Based on the login, the administrator gets the right to control the objects enabled in the Admin Role Profile.

In summary, you can't define a Virtual System Admin Role profile that includes routing (Virtual Router). You can create two accounts to have these separate roles and assign them to two different users. An Administrator account can have only one Admin Role profile.

The MGT interface can have role-based access; it doesn't strictly provide full access to the device. The login account (Admin Role) is what gives a user rights or limited access to the objects, not the MGT interface.

Select DeviceAdmin Roles and click Add.
Enter a Name to identify the role.
For the scope of the Role, select Device or Virtual System.
In the Web UI and REST API tabs, click the icon for each functional area to toggle it to the desired setting: Enable, Disable, or Read Only. For the XML API, click the icon for each functional area to toggle it to the desired setting: Enable or Disable. For details on the Web UI options, see Web Interface Access Privileges.
Select the Command Line tab and select a CLI access option. The Role scope controls the available options:
- Device role—superuser, superreader, deviceadmin, devicereader, or None
- Virtual System role—vsysadmin, vsysreader, or None
Click OK to save the profile.
Assign the role to an administrator. See Configure a Firewall Administrator Account.

Administrative Role Types

Administrative Authentication

Next-Generation Firewall Docs

Configure an Admin Role Profile

Next-Generation Firewall Docs

Configure an Admin Role Profile

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner