Configure internal and external services for account administration.Palo Alto Networks Study Guide v10
Administrative Role Types
Role Based: These roles are created by the administrator by selecting what permissions each role has. These must be updated anytime new features are added to the firewall.
Dynamic: These roles are pre-defined and are dynamically updated as the software is upgraded.
- Superuser: Full access, including creation of new administrators and virtual systems. You must be a superuser to create a new superuser.
- Superuser (read-only): Read-only access to the firewall
- Virtual system administrator: Full access to a single virtual system (vsys)
- Virtual system administrator (ready-only): Read-only access to a selected vsys.
- Device administrator: Full access except for defining new accounts or vsys
- Device administrator (read-only): Read-only access to all settings except password profiles and administrator accounts
External accounts: accounts that don’t rely on the local database can be authenticated by the following:
Authentication Sequence: Admin roles for external accounts can be assigned an authentication sequence. A sequence contains one or more authentication profiles. A user is denied ONLY if all profiles in a sequence fail.
Password Complexity: For security, administrator passwords should have password complexity rules enabled under Setup>Management
Configuration Logs: These logs contain a listing of configuration changes and which account made them.