A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
The most appropriate role-based access for this project is to create a Custom Panorama Admin. This role allows for extensive flexibility in controlling what administrators can access and configure through the Panorama interface or CLI. Since the contractors need to work with different device-groups to deploy policies and objects, a Custom Panorama Admin role can be tailored to give them specific rights related to device groups without providing unnecessary permissions. This ensures compliance and efficient role management.
C: Administrator Type ->Device Group and Templete admin(select Access Domain & Administrator Role) D: Custom Panorama admin (just can select Admin Role profile)
Wrong, Custom Panorama admin allows you to create a new admin profile and assign specific rights such as Device Group
This question was on the exam.. Nov 2023
Another poorly worded question - I am thinking D - https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/reference-web-interface-administrator-access#id30fd7bf6-c7af-45b4-9477-77a03c49acd8
I am going for C. Take a look here: https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/set-up-panorama/set-up-administrative-access-to-panorama/configure-an-admin-role-profile#idf54b7aab-e379-4a34-b82b-b8165586ce53
I stand corrected - C
Leaning towards c
C appears correct
Most appropriate is C. Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator’s access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.
It´s C, tested in the lab.
The question states: all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects. Policies and Objects = Device Groups C is wrong because it gives more privileges (in this case, access to Template = Network + Device) B allows you to be more granular and only gran access to the Device Group section.
By more granular, I mean you can create and assign and admin profile with restricted rights under the Custom Panorama admin option
C. Tested in the lab.