How to create a new user and assign a role to it using API in PAN-OS
516
Created On 01/27/23 02:59 AM - Last Modified 11/06/25 20:42 PM
Symptom
Unable to assign a role to the new user using API but the role can be assigned using CLI.
Environment
- Any PAN-OS
- Palo Alto Firewall.
Resolution
>Generate an API key, and make a GET or POST request to the firewall’s hostname or IP addresses using the administrative credentials.
- https://<firewall>/api/?type=keygen&user=<username>&password=<password>
>To create a new user using an API link or the command to create Admin-user-config (without-role) :
- https://10.129.163.179/api/?type=config&action=set&key=YOURKEY&xpath=/config/mgt-config/users/entry[@name='USERNAME']&element=<phash>PASSWORD</phash>
e.g, https://10.129.163.179/api/?type=config&action=set&key=3S3NzRHNPSFZYMnM9MkEzM3lDRzVYWkFmSW5Jd0JIdzFuWnJlQ3dHcW9EQlFSSzZRVWtYZE&xpath=/config/mgt-config/users/entry[@name='test']&element=<phash>test123</phash>
>We can confirm the changes on the firewall using the preview commit:
>We cannot see changes in the GUI of the firewall but we can verify it using CLI and GUI API:
>We will be able to see the changes in the GUI of the firewall once the role has been assigned to it, but we can verify it using CLI and GUI API:
- show mgt-config users
- set mgt-config users test permissions role-based superuser yes ---------(We can choose any role based on choice)
>To confirm the role we can check on CLI and firewall GUI: