Issue
A Palo Alto Networks firewall administrator account is configured with a custom Admin Role defined with full web UI access. However, this administrator account is unable to access the Configuration Management menu under the Device > Setup > Operations tab.
From PAN-OS 5.0 and above:
The Configuration Management section is available. However, only configuration validation can be performed:
From PAN-OS 7.0 and above:
The Configuration Management section is available. However, only configuration Load, Save and Revert can be performed:
Cause
Due to security concerns, if a Palo Alto Networks device administrator is allowed to export the configuration, the password hashes of the other admins would have to be sanitized. However, if the configuration is sanitized it cannot be used as a backed up version since it is not a complete configuration. Because of this scenario, the option shown above is not available to role-based admins.
Resolution
Login to a full superuser account in order to access the complete Configuration Management features:
owner: ggarrison