This topic outlines the required permissions for a Palo Alto Networks least-privileged user (LPU).

In order to use all the features of the management pack, an Admin Role associated with the monitoring user must have the following XML API permissions:

  • Operational Requests
  • Logs
  • Configuration

To assign the permissions in the Palo Alto Networks Web UI:

  1. Select Device > Admin Roles to define your Admin Role profile.


    paloaltonetworks_webui_devicetab
  2. Select your defined Admin Role.

  3. In the Admin Role Profile window, click the XML API tab, and ensure Log, Configuration, and Operational Requests permissions are enabled.

    Note: Web UI and Command line permissions are not required.

    lpu-2

Permissions Limitations

  • If only Operational Requests and Configuration are specified, the collector will not return threat events. This is not a recommended configuration, but Test Connection will pass with a failing optional test.

What to do next

Installing the Management Pack (Palo Alto Networks)