topic Re: CLI: create admin role in General Topics

CLI: create admin role

mlanterm — Tue, 23 Nov 2021 15:05:21 GMT

Hi,

I'm struggling a bit to find an efficient way to create an admin role using the cli.

Let's say I want to create an admin role and grant it all rights that can be found in the "Web UI" tab when using the web interface.

Is there a command that basically does this?

set shared admin-role webadmin role device webui ALL

Right now the only way that I can see is a huge list of commands:

set shared admin-role webadmin role device webui acc
set shared admin-role webadmin role device webui dashboard
set shared admin-role webadmin role device webui monitor
set shared admin-role webadmin role device webui monitor logs
set shared admin-role webadmin role device webui monitor logs traffic enable
(repeat last line for all the items under logs)
(and for each and every other item in webui, it just keeps going...)

Maybe I'm overlooking something?

Re: CLI: create admin role

kiwi — Thu, 25 Nov 2021 14:05:38 GMT

Hi @mlanterm ,

Just creating an admin-role is cli is easy:

admin@PA-VM# set shared admin-role adminxdr role device webui

However, when you create your admin-role like this, all the roles will be disabled by default as opposed to when you create the admin-role through the GUI. If you create an admin-role through the GUI, all the roles are enabled by default (which is kinda inconsistent ... maybe check with support if this is considered a bug or a feature request 😉).

Below is en example of a CLI created admin-role ... all the roles are disabled by default.

You could create a script and copy/paste the bulk of lines by enabling scripting mode

username@hostname> set cli scripting-mode on

Hope this helps,

-Kiwi

Re: CLI: create admin role

Mudhireddy — Thu, 25 Nov 2021 16:14:39 GMT

You can try the below link to get the best practice configuration from GitHub for both FW and Panorama.

https://github.com/PaloAltoNetworks/iron-skillet/tree/panos_v10.0/loadable_configs/sample-set-commands

Re: CLI: create admin role

Tony.Vichai — Tue, 19 Jul 2022 06:40:39 GMT

Did you find a way other than scripting 80+ lines to enable all?

Re: CLI: create admin role

mlanterm — Tue, 19 Jul 2022 07:45:12 GMT

No, I'm afraid not. We sort-of worked around it by using Radius with domain accounts, and gave up on separate types of admins. So we have the local admin account as a break-glass emergency account, and for daily use it's domain accounts where Radius sends the "superuser" attribute along. In this setup there's no need to define custom admin roles.

Which is okay in our small team, where "yay everyone is a superuser" is "fine"...

But I still feel it's very counter-intuitive to script an admin role without wildcards and have it work the opposite way as the GUI.