https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/582537#M2263 <P>Hello, did you find a solution to this? I'm trying to do the same thing to limit an admin account's XML API access to specific device groups. Unfortunately, it looks like using an Access Domain with "Device Group and Template" doesn't provide access to XML API. From what I see, it only provides access to Web GUI and REST API. Did you find a workaround for this? Thanks!</P> Wed, 03 Apr 2024 18:01:20 GMT jeremyafaulkner 2024-04-03T18:01:20Z https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/556630#M1816 <P>How can we limit the Panorama XML API access ?</P> <P>How can we limit the Panorama XML API access ? We are using this XML API for Terraform and ansible automation. We want to give only access to few device group and we don't want to give access to all device group. please advice how can we achieve this. We checked in Admin roles in Panorama and we don't see much options to restrict to specific device group</P> <P><BR />Our request is - how can we restrict the API access to only certain device group.<BR />Wiki pages in the palo website doesn't have any information about how can we limit only to certain device group.</P> <P>I'm elaborating more with example here.</P> <P>device group - INETFW1<BR />device group - INETFW1<BR />device group - SNETFW1<BR />device group - SNETFW2</P> <P>we want to give only API XML access to INETFW1 and SNETFW1 device group ? how can we achieve this?</P> <P>what we need to have is a custom privilege to be restricted on to specific device group in Panorama XML API access.<BR />Please let us know how can we limit the panorama XML API access to specific device group?</P> Wed, 06 Sep 2023 02:46:14 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/556630#M1816 ManojManoj 2023-09-06T02:46:14Z https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/556647#M1821 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/313840">@ManojManoj</a></P> <P>&nbsp;</P> <P>thanks for posting.</P> <P>&nbsp;</P> <P>This should be possible with Access Domains combined with Admin Roles. Here is documentation for reference:&nbsp;<A href="https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/role-based-access-control/access-domains" target="_self">Access Domains</A>.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Wed, 06 Sep 2023 03:40:30 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/556647#M1821 PavelK 2023-09-06T03:40:30Z https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/557106#M1833 <P>Hi @Pavel,</P> <P>Please don't blindly answer without understanding the question mentioned here. <BR />Our requirement is to restrict the access via API and not via web gui or other ways. <BR />Did you check it in your lab system Panorama for restricting XML API access before you comment about this?<BR />Did you have previous experience dealing this XML API access restriction in Panorama?</P> <P>thanks</P> Fri, 08 Sep 2023 03:46:34 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/557106#M1833 ManojManoj 2023-09-08T03:46:34Z https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/557110#M1834 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/313840">@ManojManoj</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>I read your post carefully before replying to you. I have been using access domain in the past only for GUI access. By reading your post the access domain came to my mind as possible solution. I checked the API documentation and this parameter is passed in the API call therefore I deemed this as possible:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_0-1694146484518.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53533i41422CA0BF473AAD/image-size/medium?v=v2&amp;px=400" role="button" title="PavelK_0-1694146484518.png" alt="PavelK_0-1694146484518.png" /></span></P> <P>&nbsp;</P> <P>The answer to your second question, no, I have not verified it in the lab.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Fri, 08 Sep 2023 04:17:21 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/557110#M1834 PavelK 2023-09-08T04:17:21Z https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/582537#M2263 <P>Hello, did you find a solution to this? I'm trying to do the same thing to limit an admin account's XML API access to specific device groups. Unfortunately, it looks like using an Access Domain with "Device Group and Template" doesn't provide access to XML API. From what I see, it only provides access to Web GUI and REST API. Did you find a workaround for this? Thanks!</P> Wed, 03 Apr 2024 18:01:20 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/582537#M2263 jeremyafaulkner 2024-04-03T18:01:20Z https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/1238119#M2978 <P>Hello, have you confirmed if Access Domains combined with Admin Roles will work to limit API access to certain device groups?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Travis</P> Tue, 16 Sep 2025 21:26:02 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/how-can-we-limit-the-panorama-xml-api-access/m-p/1238119#M2978 trjohnson 2025-09-16T21:26:02Z