This topic outlines the required permissions for a Palo Alto Networks least-privileged user (LPU).

In order to use all the features of the management pack, an Admin Role associated with the monitoring user must have the following XML API permissions:

  • Operational Requests

  • Logs

  • Configuration

To assign the permissions in the Palo Alto Networks Web UI:

  1. Select Device > Admin Roles to define your Admin Role profile.

  2. Select your defined Admin Role.

  3. In the Admin Role Profile window, click the XML API tab, and ensure Log, Configuration, and Operational Requests permissions are enabled.

    Note:

    Web UI and Command line permissions are not required.

Permissions Limitations

  • If only Operational Requests and Configuration are specified, the collector will not return threat events. This is not a recommended configuration, but Test Connection will pass with a failing optional test.