05-15-2024 06:01 AM
Hi
Our customer has a PA-440 firewall deployed with HA and we have a request about the creation of a user account that has a full access to the device over Web UI but it can't change delete or change password of admin account
is it possible ? and how we can do that ?
05-15-2024 06:17 AM
Hi @Abdelhak ,
You can create a new administrator account. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-ad...
While you are logged in as admin, you cannot modify the admin account. You will have to create a new administrator account, log in with it, and then you will be able to change or delete the default admin account.
Thanks,
Tom
05-15-2024 06:23 AM
Hi Tom,
Our need is to created a new admin account other then the default, but when we sign in using it we should not be able to delete or modify the password of the default admin account
is it possible ?
05-15-2024 06:31 AM
Yes, but what exactly are you trying to give them permission to do? Do you want to have them have the ability to make changes to the configuration outside of modifying other administrators or do they just need to read the configuration?
If it's just reading the configuration then grant a read-only role that meets what you want them to do, otherwise you'll need to build a custom role and ensure that administrators and admin roles are read-only and set the XML, CLI, and REST access appropriately. If they only need GUI access just disable access to everything else.
05-15-2024 06:40 AM
Hi
Our customer need to create another admin account that has the same rights as the default one to give it to other administrators for managing the device but they can't modify or change the password of the default admin account actually used by the main administrator of the site.
is it possible? and how we can do that ?
05-15-2024 06:54 AM
So with those requirements a custom role assigned to the user is the only way. Build out a custom role and assign it to the created administrator account. The role will need to have 'Administrators' and 'Admin Roles' set to read only, this is the default status on a custom role that has Device access enabled so you'll just need to review everything else.
Keep in mind that this doesn't prevent them from loading a modified configuration file directly and committing it, it just prevents them from modifying things in normal means. You'll have more control over the GUI as you will with the XML, CLI, or REST settings. I would personally highly recommend disabling access to those three for this user, ensuring that 'Adminstrators' and 'Admin Roles' are set to read-only, and setting the 'Operations' tab to read-only so that the user couldn't upload and load a modified configuration file directly.
05-15-2024 07:33 AM
Thank you @Abdelhak !
I misunderstood.
05-15-2024 07:35 AM
Hi @Abdelhak ,
Maybe the built-in Device Administrator role fits the bill? https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-ad...
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
