https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-read-only-panorama-api-user/m-p/287315#M1964 <P>The best would be to have the limitations based on the API keys, so that Panorama won't allow changes to be pushed using that API key.</P> <P>&nbsp;</P> <P>That said, Expedition has some internal controls to set limitations on user roles.</P> <P>How can you use them?<BR />Create a user for those auditors with the "viewer" role assigned within the project.</P> <P>When retreiving the API keys from panorama, specify that the keys are only for "admin". Notice that then, the "viewer" users won't have an API key assigned.</P> <P>So, your auditors will be able to see the config in Expedition, but won't have credentials to make a push.</P> <P>Notice that you would require an "admin" user to pull the config.</P> Mon, 09 Sep 2019 10:08:41 GMT dgildelaig 2019-09-09T10:08:41Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-read-only-panorama-api-user/m-p/285297#M1915 <P>Hello,</P> <P>&nbsp;</P> <P>I would like to have our InfoSec team use Expedition to audit/report/track changes on our firewalls. <STRONG>What's the best way to set them up so they can use Expedition, but not have any rights to modify or push changes to Panorama or the firewalls? </STRONG>Expedition v. 1.1.35.<BR /></P> <P>&nbsp;</P> <P>I've setup a Panorama user with XML API rights, but have found the user requires at least the "Operational Requests" and "<STRONG>Configuration</STRONG>" roles in order to download the firewall config files for analysis. Per this page, the "Configuration" role can also <STRONG>modify</STRONG> Panorama and the firewall configs, which we don't want to allow. <A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/panorama-web-interface/panorama-admin-roles#" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/panorama-web-interface/panorama-admin-roles#</A></P> <P>&nbsp;</P> <P>Maybe there's a way within Expedition to limit this type of access? Or a different set of RBAC roles? Ideally, I'd be able to give InfoSec a Panorama read-only API key and they'd be admins/super-users in Expedition, as they will be the ones primarily using the tool.</P> <P>&nbsp;</P> <P>Thanks in advance for any suggestions.</P> Tue, 27 Aug 2019 15:25:39 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-read-only-panorama-api-user/m-p/285297#M1915 TylerDoyle 2019-08-27T15:25:39Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-read-only-panorama-api-user/m-p/287315#M1964 <P>The best would be to have the limitations based on the API keys, so that Panorama won't allow changes to be pushed using that API key.</P> <P>&nbsp;</P> <P>That said, Expedition has some internal controls to set limitations on user roles.</P> <P>How can you use them?<BR />Create a user for those auditors with the "viewer" role assigned within the project.</P> <P>When retreiving the API keys from panorama, specify that the keys are only for "admin". Notice that then, the "viewer" users won't have an API key assigned.</P> <P>So, your auditors will be able to see the config in Expedition, but won't have credentials to make a push.</P> <P>Notice that you would require an "admin" user to pull the config.</P> Mon, 09 Sep 2019 10:08:41 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-read-only-panorama-api-user/m-p/287315#M1964 dgildelaig 2019-09-09T10:08:41Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-read-only-panorama-api-user/m-p/287770#M1996 <P>Thanks for your reply and thoughts.</P> <P>&nbsp;</P> <P>I will see if there's a secure way to automate the admin-task of pulling the most recent XML configs from the firewalls into Expedition. That ability + using the RBAC setup inside Expedition sounds like it might accomplish what we're aiming for.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 10 Sep 2019 21:14:06 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-read-only-panorama-api-user/m-p/287770#M1996 TylerDoyle 2019-09-10T21:14:06Z