Here is a suggested Manifest directory structure for Palo Alto firewalls. Network Services will need the path for each group in order for access to work.
|Firewall_Admins-ReadWrite|| NetIDs allowed to change/add/remove firewall settings.
|Firewall_Admins-ReadOnly||NetIDs allowed to view firewall settings & logs.|
|Group/Service Specific Users||NetIDs allowed to log into a specific VPN.|
|"BELOW IS STILL BEING FINALIZED - PLEASE HOLD"|
|uw:domain:<YOUR_DEPT_NAME>:Firewall_Groups||AD groups that can be used to write firewall rules against after the user has logged into VPN.|
|Admins||System &/or Network Administrators|