Admin Role & Dashboard Log Widgets

Reply
Highlighted
L4 Transporter

Admin Role & Dashboard Log Widgets

So, I'm teaching a PAN-EDU-201 class this morning and when we were discussing the Admin Roles, one of my students asked a question about the Dashboard Log Widgets. The question was, if I create an Admin Role and disable the Monitor Tab (which disables all of the log file access under the Monitor tab) would the Dashboard Log Widgets be disabled? So, we proceeded to do a test.  The results... The Dashboard Log Widgets do NOT get disabled and continue to update the log entries.

Any thoughts??

Thanks,

Jeff

Highlighted
L6 Presenter

Re: Admin Role & Dashboard Log Widgets

I guess the dashboard isnt more grunlar than enabled/disable according to the manual:

set shared admin-role <name> description <value> role device webui dashboard {disable | enable}

What about if you do the other way around?

Create a user which has everything disabled except the "dashboard" which is enabled, will this user still be able to view the logs through the widget?

If yes I think you should file this as a bugreport.

I agree with you that even if the dashboard itself has its own role it should still not allow the user to "backdoor" into various information such as the logs (if the logs are disabled for this user) through the log widget.

Highlighted
L4 Transporter

Re: Admin Role & Dashboard Log Widgets

Jeff I understand the question the student asked.  I think it was a great question. But I think I disagree with mikand.

You are disabling access to the logs via your roles, but I would not expect it to disable the widgets. Why would you feel this is appropriate?

"Under the hood", the logging functionality would be working.  The user cannot access the logs directly, cannot clear the logs, cannot filter on the logs.

So, I think I am trying to ask:  Why would this be unexpected behavior, when the role appears to be functioning as engineered. Thoughts?

Highlighted
L6 Presenter

Re: Admin Role & Dashboard Log Widgets

That is because if I disable access to the logs for this particular user I wouldnt be to happy to see that this user can still backdoor into this loginformation via widgets, or the REST api or whatever other entrypoints towards the logs there might be.

Highlighted
L4 Transporter

Re: Admin Role & Dashboard Log Widgets

I totally agree with mikand... If I am going through the trouble of disabling the Log under the Monitor tab then, that means I don't want the user to see any log information regardless if they can't filter or clear the logs. There's a reason I'm creating this role and eliminating the logs so, PAN should carry it through to all screens that display log info.

Thanks,

Jeff

Highlighted
L4 Transporter

Re: Admin Role & Dashboard Log Widgets

See, that is why Mikand is a great resource!  Just looking at things from a different point of view, and now, yes, I agree with what is being stated.  Personally, I would be from a point that they cannot clear the logs, filter, etc, but still be OK with seeing the widgets. Every environment is different.    Open the TAC case, and see if it is a bug, or a feature request. Let me know.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!