https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201709#M59589 <P>HA view needs to be enabled per user from the widget dropdown</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Did you create an admin role with all sections set to readonly, or did you create a read-only superuser account (not a role)?</P> <P>A read-only superuser has access to everything, he's simply not allowed to change anything (superuser, still)</P> <P>&nbsp;</P> <P>if you want to restrict access to certain parts, you can create a role and disable access to what you don't want the user to see and read-only for what they are allowed to see</P> <P>the admin account needs to be changed from dynamic to role-based for this to work</P> Thu, 22 Feb 2018 07:50:12 GMT reaper 2018-02-22T07:50:12Z https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201602#M59573 <P>Hi</P><P>&nbsp;</P><P>I created a 'read only' admin role, simple superuser priviledges, everything set to default.</P><P>&nbsp;</P><P>when i login with RO, the HA view for example dissappears, and the commit link is still present desite it being disabled within the Admin Role profile.</P><P>&nbsp;</P><P>I'm wondering if this is because we're using ISE...?</P><P>&nbsp;</P><P>Many thanks</P><P>Ajaz Nawaz</P><P>JNCIE-SEC No.254</P><P>CCIE-RS No.15721</P> Wed, 21 Feb 2018 14:55:21 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201602#M59573 nawaza 2018-02-21T14:55:21Z https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201709#M59589 <P>HA view needs to be enabled per user from the widget dropdown</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Did you create an admin role with all sections set to readonly, or did you create a read-only superuser account (not a role)?</P> <P>A read-only superuser has access to everything, he's simply not allowed to change anything (superuser, still)</P> <P>&nbsp;</P> <P>if you want to restrict access to certain parts, you can create a role and disable access to what you don't want the user to see and read-only for what they are allowed to see</P> <P>the admin account needs to be changed from dynamic to role-based for this to work</P> Thu, 22 Feb 2018 07:50:12 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201709#M59589 reaper 2018-02-22T07:50:12Z https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201726#M59591 <P>Thanks Reaper</P><P>&nbsp;</P><P>In answer to your question I created a RO Admin role and disabled 'save' and 'commit' - I also set CLI to superrader</P><P>&nbsp;</P><P>Reaper can I ask if its possible to remove the 'commit' link for RO users.</P><P>&nbsp;</P><P>Regards</P><P>Ajaz</P> Thu, 22 Feb 2018 09:53:21 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201726#M59591 nawaza 2018-02-22T09:53:21Z https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201731#M59592 <P>hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75157">@nawaza</a></P> <P>you can't remove the physical links as they are an integral part of the GUI, but you can restrict access to it by using the profile</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="commit permission.png" style="width: 399px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13907iE9DE40D11E5FA89C/image-size/large?v=v2&amp;px=999" role="button" title="commit permission.png" alt="commit permission.png" /></span></P> <P>&nbsp;</P> Thu, 22 Feb 2018 09:54:24 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-roles/m-p/201731#M59592 reaper 2018-02-22T09:54:24Z