You can configure privileges for an entire firewall or for one or more virtual systems (on platforms that support multiple virtual systems). Within that
designation, you can configure privileges for custom administrator roles, which are more granular than the fixed privileges associated with a dynamic administrator role.
Configuring privileges at a granular level ensures that lower level administrators cannot access certain information. You can create custom roles for firewall administrators (see
Configure an Administrative Account), Panorama administrators, or Device Group and Template administrators (refer to the
Panorama Administrator’s Guide). You apply the admin role to a custom role-based administrator account where you can assign one or more virtual systems. The following topics describe the privileges you can configure for custom administrator roles.