Support Portal User Role Matrix

Reply
jasfree
L1 Bithead

Support Portal User Role Matrix

Hi Community,

 

we are experiencing a strange phenomene on our PA-7050.

We recently upgraded from 7.1.4 to 8.0.8 and have the following problem:

  1. User with securityadmin rights cannot save changes made on the firewall. They are receiving "You don't have permission to save configuration."
  2. Users with the superuser roles cannot make changes to Administrators Group.
  3. Users with the superuser role only have Read Only on the Admin Role Profile.

Has anyone else experienced this? Does anyone know what I need to do to correct this problem?.

 

Regards,

 

Jasper Freeman

BPry
Cyber Elite

@jasfree,

1) What changes were the users with securityadmin trying to make; there are a number of things that a securityadmin is not allowed to modify. If another admin was currently working on changes that the securityadmin did not have rights to then you could see this issue present itself. 

 

2) I would call TAC on this problem; the Superuser role is built in and you are not allowed to modify it, you should therefor have access to whatever you need. The only objection to this would be if they had the Superuser (read-only) Role assigned, which may be the case reading your final question. 

 

3) This seems odd but could have happened during the 8.0 update. Using a user with the Superuser Role you should be able to give everyone the proper Role back. 

 

jasfree
L1 Bithead

@BPry,

 

We did open a TAC ticket.

 

What we noticed after the update was that the even though the Profile securityadmin had the rights to save, it did not work. It's as if the User could not save his own context.

 

Before the update, the admin could save his work (in his user context) and when a commit was performed then the changes was written to the running config. After the update, the admin can commit changes, but the save always returns a permission denied.

 

We are currently investigating other possible areas. Since we use ACS for the securityadmin authentication and Active Directory for superadmin authentication, we are checking to see if there are any changes that has an effect on the login.

 

I guess I will have to wait for the TAC response.

 

Thanks anyway.

 

Regards,

 

Jasper Freeman

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!