I have created a role-based admin account with all rights enabled for the Web UI and superuser rights enabled for the CLI.
After login to the Web UI using this account, under Device -> Setup -> Operations, the reboot/shutdown operations are not displayed. So i cannot reboot the device via the Web UI.
If I go to the CLI (using the same account), i can easily do a reboot (by "request restart system").
Does anybody have an idea if this is a bug or a feature ?
The rights required to use the Device > Setup > Operations are at the superuser level and there is no way to create a custom Admin Role with superuser privilege. If you need these rights you should use the superuser dynamic role instead since you are giving superuser rights in the CLI anyways. If you look at the "Role" setting in the admin role it will be set to "Device" which means the admin has rights equivalent to a deviceadmin.
We are looking into eliminating offering "superuser" or "superreader" rights on the CLI under the custom admin role since it does not make sense to allow this escalation of privilege when logging in via CLI for the same admin who is a web interface deviceadmin.
Thanks Mike for the quick answer.
The reason for using a custom Admin Role instead of a dynamic role is that I want to disable displaying of username and/or client ip address information in the logs and reports.
This is for privacy protection reasons; we are not allowed to give our Operations access to this information. On the other hand, they should be able to reboot the system in case of an emergency.
Any idea how to accomplish this ?
Under Admin Roles in Panorama
I created Role based authen on Panorama M100 running 8.1.9 with Admin Role giving it full access.
Under Role tab i checked the Panorama and pushed that to all the firewalls.
Still i do not see option to reboot or shutdown the firewall or generate the tech support file.
Will this be fixed in some new PAN OS releases?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!