Role-Based Access Control; Administrative Roles - PaloAlto Networks Panorama 6.1 Administrator's Manual

Role‐Based Access Control
Role‐Based Access Control
Role‐based access control (RBAC) allows you to specify the privileges and responsibilities accorded to every
administrative user. On Panorama, you can define administrative accounts with specific roles, profiles, or
Access Domains to regulate access to specific features on Panorama and the managed firewalls; these
options allow you to limit administrative access to only the firewalls and areas of the management interface
that each administrator requires to perform the job. By default, every Panorama server comes
pre‐configured with a default administrative account (admin) that provides full read‐write access (also
known as superuser access). As a best practice, create a separate administrative account for each person
who needs access to the administrative or reporting functions on Panorama. This provides better protection
against unauthorized configuration (or modification) and enables logging of the actions of each
administrator.
For every administrative user, you can also define an authentication profile that determines how the user's
access credentials are verified. To enforce more granular administrative access, use access domains to
restrict administrative access to a particular firewall, device group or template.
Administrative Roles

Authentication Profiles and Sequences

Access Domains

Administrative Authentication

Administrative Roles
The way you configure administrator accounts depends on the security requirements of your organization,
whether it has existing authentication services with which to integrate, and the administrative roles it
requires. A role defines the type of system access an administrator has. The role types are:
Dynamic Roles—These are built‐in roles that provide access to Panorama and managed devices. When

new features are added, Panorama automatically updates the definitions of dynamic roles; you never
need to manually update them. The following table lists the access privileges associated with dynamic
roles.
Dynamic Role
Superuser
Superuser (read‐only)
Panorama administrator
22 • Panorama 6.1 Administrator's Guide
Privileges
Full read‐write access to Panorama
Read‐only access to Panorama
Full access to Panorama except for the following actions:
• Create, modify, or delete Panorama or device administrators and roles.
• Export, validate, revert, save, load, or import a configuration in the Device > Setup >
Operations page.
• Configure Scheduled Config Export functionality in the Panorama tab.
Panorama Overview
© Palo Alto Networks, Inc.