Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet
Expedition comes with a framework to manage the Role-Based Access Control, this will help you to add users with different level of privileges.
1) Expedition User Roles:
a) Super User: This Role allows the User to manage everything on Expedition
b) Admin: This Role allows the user to Create projects and devices but cannot change system settings or add new users
c) User: This Role allows the user only to enter on Expedition and see projects and devices where has been granted access.
View of adding a new user to Expedition
2) Project User Roles:
When a project is created by an Expedition Super-User or Admin, this can be edited by clicking on Settings
View of Expedition Project Settings
From the Settings window, we can add Expedition Users to the Project. Inside the Project, we have different Roles:
a) admin: This Role can change the Project Settings and modify all the content within it.
b) user: This Role can edit the project contents but it cannot change the project settings to add more devices or users to the project.
c) viewer: This Role is for read-only purposes. Doesn't have any privileges to change nothing inside the project or manage the project settings.
View of Edit Project panos to add Expedition users.
As an example, you can create a new Expedition user with Role (User) and attach this user to one Project as (admin), in this case the User be able to manage only the project and the content but it will be unable to add more projects, devices or users to Expedition.
Hope this helps to clarify how to assign Roles.