Unable to Access Configuration Management Using Role-Based Admins

by nrice on ‎02-27-2012 01:41 PM - edited on ‎05-03-2016 06:17 AM by Community Manager (4,175 Views)

Issue

A Palo Alto Networks firewall administrator account is configured with a custom Admin Role defined with full web UI access. However, this administrator account is unable to access the Configuration Management menu under the Device > Setup > Operations tab.

 

From PAN-OS 5.0 and above: 

The Configuration Management section is available. However, only configuration validation can be performed:

Operations.PNG.png

From PAN-OS 7.0 and above:

The Configuration Management section is available. However, only configuration Load, Save and Revert can be performed:

2016-05-03_15-13-38.jpg

 

Cause

Due to security concerns, if a Palo Alto Networks device administrator is allowed to export the configuration, the password hashes of the other admins would have to be sanitized. However, if the configuration is sanitized it cannot be used as a backed up version since it is not a complete configuration. Because of this scenario, the option shown above is not available to role-based admins.

 

Resolution

Login to a full superuser account in order to access the complete Configuration Management features:
5.png

 

owner: ggarrison

Comments
by marshfieldclinic
on ‎06-19-2012 07:51 PM

Is this a "won't fix, use workaround" type of issue or something actively being addressed as a FR?  I've got role-based authorization configured and this is really inconvenient.  A few of the things I'm not able to do are the above as well as change contexts in panorama and do certain software update procedures in the system tab.  I can use local superuser accounts, however, that means I can't centrally manage and maintain them...

by sebastianvd
on ‎08-13-2013 02:19 AM

I totally agree with above. This is really unwanted behaviour and unmanageable.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors