Configure Administrative Access to the ESM Console Using the DB Configuration Tool

When you install the ESM Console, you specify the administrative account and type of authentication (machine or domain) that you will use for initial access to the ESM Console. From the ESM Console, you can then configure role-based access control to define Administrative Roles to assign to Administrative Users (and/or groups). This enables you to enforce the separation of information among functional or regional areas of your organization to protect the privacy of data on the ESM Console. For more information, see Manage Administrator Access to the ESM Console .
If after setting up role-based access you have difficulty accessing the ESM Console and need to verify or change administrative account settings, you can use a command line interface (CLI) called the DB Configuration Tool. This allows you to manage basic ESM Console settings including the administrative users that have access to the ESM Console, and the authentication mode by which to authenticate them. The DB Configuration Tool does not validate or authenticate the users and only provides a mechanism for making changes when you cannot do so using the ESM Console.
To enforce role-based access control, use the ESM Console to make changes to administrative access, when possible.
You can access the DB Configuration Tool using a Microsoft MS-DOS command prompt that you run as an administrator. The DB Configuration Tool is located in the Server folder on the ESM Server.
All commands you run using the DB Configuration Tool are case sensitive.
  1. Open a command prompt as an administrator in either of two ways:
    • Select StartAll ProgramsAccessories, right-click Command prompt, and then select Run as administrator.
    • Select Start and, in the Start Search box, type cmd but do not press Enter, yet. Then, to open the command prompt as an administrator, press Ctrl+Shift+Enter.
  2. Navigate to the folder that contains the DB Configuration Tool:
    C:\Users\Administrator> cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server
  3. (Optional) View the existing administrator settings:
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig usermanagement show
    AuthMode = Machine
    AllowedUsers = Administrator
    AllowedGroups =
  4. (Optional) Specify the authentication mode: either domain or machine.
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig usermanagement AuthMode [domain|machine]
  5. (Optional) Add an administrative user.
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig usermanagement AllowedUsers <newuser>
    Repeat this step to add additional administrative users. The DB Configuration Tool appends the usernames to the existing list of administrative users.
    To remove administrative users, you must use the ESM Console.

Related Documentation