Good morning, as always thank you very much for the support, help and collaboration with my doubts.
I have a question, example if in Panorama I have following:
Panorama: 2 superadmin accounts, account sadmin-pan01 and sadmin-pan02 and 1 administrator account, admin-pan01. These 3 accounts have permissions to all Firewall/Access domains/Device-Group/Template-Group.
And there are 4 firewalls being managed through Panorama. These firewalls have, at the local configuration level, not injected by Panorama, 1 local superadmin account, named sadmin01 and 2 other admin accounts, admin01 and admin02.
My doubt is the following, I understand that when I log in through Panorama, and change the Context, to a certain firewall, this is like or similar to logging in locally to the Firewall, therefore I can see the local configuration, make local changes, rules, etc. Here is my disturbing doubt, if I log in with the account "admin-pan01" or "sadmin-pan01" to Panorama and then change the context to the example FW-L2L-01, it is understood that locally, nor by template/template-stack, the users/accounts "admin-pan01" and "sadmin-pan01", are not created, they do not exist in the FW-L2L-01 Firewall, but they exist in PANORAMA, where I login and context switch to the FW-L2L-01 Firewall, for this context switching, to see the local config, to save, apply and make local settings, having already changed to the Firewall FW-L2L-01 context, is it mandatory that there is also the same account or accounts in the Firewall or Firewalls destination, or already have permissions from PANORAMA, only with the account used, ie with the account that I log in PANORAMA, I will already have permissions on the firewall, through the change of context and of course be managed by Panorama? Or is it necessary to map and create each administrator user that is created in Panorama in the Firewalls to be able to change the Context and / or enter locally directly to the Firewall(s)?
Thank you very much, I remain attentive, greetings and attentive to your comments.
Thank you Reaper, it is clear to me
If you allow a panorama admin to context switch, they do not need a local account on the firewall. For accountability purposes, they will be logged on to the firewall as "panorama-<panorama username>" so you know who made local changes