08-27-2019 08:21 AM - edited 08-27-2019 08:25 AM
Hello,
I would like to have our InfoSec team use Expedition to audit/report/track changes on our firewalls. What's the best way to set them up so they can use Expedition, but not have any rights to modify or push changes to Panorama or the firewalls? Expedition v. 1.1.35.
I've setup a Panorama user with XML API rights, but have found the user requires at least the "Operational Requests" and "Configuration" roles in order to download the firewall config files for analysis. Per this page, the "Configuration" role can also modify Panorama and the firewall configs, which we don't want to allow. https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/panorama-web-interface/panora...
Maybe there's a way within Expedition to limit this type of access? Or a different set of RBAC roles? Ideally, I'd be able to give InfoSec a Panorama read-only API key and they'd be admins/super-users in Expedition, as they will be the ones primarily using the tool.
Thanks in advance for any suggestions.
