Configure an Admin Role Profile
Focus
Focus

Configure an Admin Role Profile

Table of Contents

Configure an Admin Role Profile

Admin Role profiles enable you to define granular administrative access privileges to ensure protection for sensitive company information and privacy for end users.
As a best practice, create Admin Role profiles that allow administrators to access only the areas of the management interfaces that they need to access to perform their jobs.
You can create an Admin Role profile, specify that the role applies to Virtual System, and then select Web UI, for example, and choose the part of the configuration that the administrator can control within a virtual system. Click OK to save the Admin Role Profile. Then select
Device
Administrators
, name the role, select Role Based, enter the name of the Admin Role Profile, and select the virtual system that the administrator can control. The MGT interface doesn't give full access to the firewall; access is controlled by the Admin Role.
If the Admin Role Profile is based on Virtual System, that administrator won't have control over a virtual router. Only a subset of the Network options are available in a Virtual System role, and virtual router isn't one of the included options. If you want virtual router available in an Admin Role Profile, the role must be Device, not Virtual System. (You can define a superuser Administrator to have both Virtual System and Virtual Router access.)
You can create a second Admin Role Profile, specify that the role applies to Device, and then select portions under Network, such as Virtual Routers. Name the Admin Role Profile, and then apply it to a different administrator.
You might have different departments that have different functions. Based on the login, the administrator gets the right to control the objects enabled in the Admin Role Profile.
In summary, you can't define a Virtual System Admin Role profile that includes routing (Virtual Router). You can create two accounts to have these separate roles and assign them to two different users. An Administrator account can have only one Admin Role profile.
The MGT interface can have role-based access; it doesn't strictly provide full access to the device. The login account (Admin Role) is what gives a user rights or limited access to the objects, not the MGT interface.
  1. Select
    Device
    Admin Roles
    and click
    Add
    .
  2. Enter a
    Name
    to identify the role.
  3. For the scope of the
    Role
    , select
    Device
    or
    Virtual System
    .
  4. In the
    Web UI
    and
    REST API
    tabs, click the icon for each functional area to toggle it to the desired setting: Enable, Disable, or Read Only. For the
    XML API
    , click the icon for each functional area to toggle it to the desired setting: Enable or Disable. For details on the
    Web UI
    options, see Web Interface Access Privileges.
  5. Select the
    Command Line
    tab and select a CLI access option. The
    Role
    scope controls the available options:
    • Device
      role—
      superuser
      ,
      superreader
      ,
      deviceadmin
      ,
      devicereader
      , or
      None
    • Virtual System
      role—
      vsysadmin
      ,
      vsysreader
      , or
      None
  6. Click
    OK
    to save the profile.
  7. Assign the role to an administrator. See Configure a Firewall Administrator Account.

Recommended For You