Admin Role & Dashboard Log Widgets

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Admin Role & Dashboard Log Widgets

L4 Transporter

So, I'm teaching a PAN-EDU-201 class this morning and when we were discussing the Admin Roles, one of my students asked a question about the Dashboard Log Widgets. The question was, if I create an Admin Role and disable the Monitor Tab (which disables all of the log file access under the Monitor tab) would the Dashboard Log Widgets be disabled? So, we proceeded to do a test.  The results... The Dashboard Log Widgets do NOT get disabled and continue to update the log entries.

Any thoughts??

Thanks,

Jeff

5 REPLIES 5

L6 Presenter

I guess the dashboard isnt more grunlar than enabled/disable according to the manual:

set shared admin-role <name> description <value> role device webui dashboard {disable | enable}

What about if you do the other way around?

Create a user which has everything disabled except the "dashboard" which is enabled, will this user still be able to view the logs through the widget?

If yes I think you should file this as a bugreport.

I agree with you that even if the dashboard itself has its own role it should still not allow the user to "backdoor" into various information such as the logs (if the logs are disabled for this user) through the log widget.

L4 Transporter

Jeff I understand the question the student asked.  I think it was a great question. But I think I disagree with mikand.

You are disabling access to the logs via your roles, but I would not expect it to disable the widgets. Why would you feel this is appropriate?

"Under the hood", the logging functionality would be working.  The user cannot access the logs directly, cannot clear the logs, cannot filter on the logs.

So, I think I am trying to ask:  Why would this be unexpected behavior, when the role appears to be functioning as engineered. Thoughts?

That is because if I disable access to the logs for this particular user I wouldnt be to happy to see that this user can still backdoor into this loginformation via widgets, or the REST api or whatever other entrypoints towards the logs there might be.

I totally agree with mikand... If I am going through the trouble of disabling the Log under the Monitor tab then, that means I don't want the user to see any log information regardless if they can't filter or clear the logs. There's a reason I'm creating this role and eliminating the logs so, PAN should carry it through to all screens that display log info.

Thanks,

Jeff

L4 Transporter

See, that is why Mikand is a great resource!  Just looking at things from a different point of view, and now, yes, I agree with what is being stated.  Personally, I would be from a point that they cannot clear the logs, filter, etc, but still be OK with seeing the widgets. Every environment is different.    Open the TAC case, and see if it is a bug, or a feature request. Let me know.

  • 2868 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!