I am looking for clarification about when a user should be created with a Role of "Dynamic" (e.g. Superuser) vs "Role Based" (e.g. securityadmin).
or any quick tips or thoughts ?
The recommendation is to use a Dynamic, Superuser (read-only) role (fixed privelidges) when creating an Indeni user. It's more scalable especially since we intend on growing the automation breadth and depth on Palo Alto Devices. Dynamic roles will auto-magically be updated with proper permission sets when new features are added to Palo Alto. If you opt to create a user using custom roles, then you run the risk of Indeni not capturing the full picture of your Palo Alto device or virtual system depending on the automation running. The automation is typically written and tested using a superuser (full or readonly). hope this helps.
A Dynamic role means you haven't staticallcy set the individual permissions of the user. Going further with that it means that the subsequent role you select is dynamically updated by Palo Alto as newer OS updates are released, etc.
If you are very selective about what specific functions or data can be viewed within the firewall or Panorama you create a Role Based policy. For instance if you have a VPN administrator that has no business modifying firewall policies or URL filtering, you might give them read only access to those tabs in the GUI to troubleshoot connectivity but full access to the VPN config in the GUI. Maybe you even give them specific CLI instructions that can be executed as well and call it a VPN_Admin_Role.
LIke stated, a Dynamic SuperUser (read-only) would be best for an indeni user account. It would future proof any new functions in newer PAN-OS versions. These would be added to either XML API or CLI commands used in updated indeni platform proactive monitoring without having to adjust permissions on every update.