https://live.paloaltonetworks.com/t5/general-topics/add-ldap-group-as-administrator/m-p/260754#M73913 <P>All -</P><P>&nbsp;</P><P>So, I know how to add individual LDAP users as local appliance / Panorama administrators.&nbsp; What I'm wondering is, is it possible to add an LDAP group as an administrator, instead of enumerating each user individually?&nbsp; So, instead of manually enumerating "mark", "bob", "jim" and the 10 other people I want to administer a given box, can I add those users to an LDAP group and tell the firewall to allow anyone within that group to be a device administrator?</P><P>&nbsp;</P><P>Should this be a feature request, if it is not possible today?</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>&nbsp;</P><P>Mark</P> Mon, 13 May 2019 15:04:15 GMT MarkRosenecker 2019-05-13T15:04:15Z https://live.paloaltonetworks.com/t5/general-topics/add-ldap-group-as-administrator/m-p/260754#M73913 <P>All -</P><P>&nbsp;</P><P>So, I know how to add individual LDAP users as local appliance / Panorama administrators.&nbsp; What I'm wondering is, is it possible to add an LDAP group as an administrator, instead of enumerating each user individually?&nbsp; So, instead of manually enumerating "mark", "bob", "jim" and the 10 other people I want to administer a given box, can I add those users to an LDAP group and tell the firewall to allow anyone within that group to be a device administrator?</P><P>&nbsp;</P><P>Should this be a feature request, if it is not possible today?</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>&nbsp;</P><P>Mark</P> Mon, 13 May 2019 15:04:15 GMT https://live.paloaltonetworks.com/t5/general-topics/add-ldap-group-as-administrator/m-p/260754#M73913 MarkRosenecker 2019-05-13T15:04:15Z https://live.paloaltonetworks.com/t5/general-topics/add-ldap-group-as-administrator/m-p/260818#M73932 <P>Not directly as an LDAP group, but it can be done with RADIUS:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-radius-authentication.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-radius-authentication.html</A></P><P>&nbsp;</P><P>Essentially, you're creating a Vendor Specific Attribute for the users that you want to assign as a device admin, superuser, super reader, etc. It's definitely more work than being able to specify a group, so a filing a feature request with your account team would still be a good idea.</P> Mon, 13 May 2019 20:15:33 GMT https://live.paloaltonetworks.com/t5/general-topics/add-ldap-group-as-administrator/m-p/260818#M73932 gwesson 2019-05-13T20:15:33Z