Palo Alto Networks Knowledgebase: Device Administrator configuration regarding the Save function in PAN-OS 8.0 and earlier
Device Administrator configuration regarding the Save function in PAN-OS 8.0 and earlier
Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:04 AM
The behaviors of Device Administrator roles have changed in PAN-OS 8.0 to have different expected behaviors when it comes to users' access under the Device tab. The Save functionality has now been specifically added separately to where the control of allowing Device Administrators to only Save (instead of allowing all features under the Operations tab) has been isolated.
Previously in PAN-OS 7.1 and earlier, for a Device Administrator (non-Superuser) to be able to Save Configuration via the Save icon in the top-right corner of the WebGUI, the Device tab had to be allowed and the functionality of Device > Setup > Operations had to be Enabled for the user
The above configuration shows the bare minimum requirements for the Save icon in PAN-OS 7.1 and earlier to be present, but it also means that any Device Admins would also have the right to Load configs, import/export, etc. as allowed in Operations.
If attempting to save as a Device Administrator in PAN-OS 7.1 without the Device tab enabled (or, specifically, Device > Setup > Operations enabled) as shown above, users would notice the Save icon had completely disappeared from their available icons entirely
In PAN-OS 8.0 the process has changed to where users can be denied access to the Device tab entirely and still retain functionality of the Save/Revert feature under the Config icon in the top right.
The functionality of the Save feature in PAN-OS 8.0 has been completely isolated from the previously-dependent Operations section under Device. The option for Save For Other Admins can be denied as well and only allow user to Partial Save for the options they themselves have made.
If a Device Administrator in PAN-OS 8.0 has had the Save feature Disabled, the Config icon still remains in the top right corner unlike PAN-OS 7.1 and earlier, however functionality is denied and the below error message is presented to the user: