Admin Role profiles are custom roles that define the access privileges and responsibilities of administrators. For Device Group and Template administrators, you can map roles to access domains in an administrator account to enforce the separation of information among the functional or regional areas of your organization (for details, see Panorama > Access Domains).
To create an Admin Role profile, click Add and complete the following fields.
If you use a RADIUS server to authenticate administrators, map the administrator roles and access domains to RADIUS Vendor Specific Attributes (VSAs).
Panorama Administrator Role Setting Description
Name Enter a name to identify this administrator role (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Description Enter an optional description of the role.
Role Select the scope of administrative responsibility Panorama or Device Group and Template.
Web UI Select from the following options to set the type of access permitted for specific features in the Panorama context ( Web UI list) and firewall context ( Context Switch UI list): Enable ( )—Read and write access Read Only ( )—Read-only access Disable ( )—No access
XML API ( Panorama role only ) Select the type of XML API access ( Enable, Read Only, or Disable) for Panorama and managed firewalls: Report —Access to Panorama and firewall reports. Log —Access to Panorama and firewall logs. Configuration —Permissions to retrieve or modify Panorama and firewall configurations. Operational Requests —Permissions to run operational commands on Panorama and firewalls. Commit —Permissions to commit Panorama and firewall configurations. User-ID Agent —Access to the User-ID agent. Export —Permissions to export files from Panorama and firewalls (such as configurations, block or response pages, certificates, and keys). Import —Permissions to import files into Panorama and firewalls (such as software updates, content updates, licenses, configurations, certificates, block pages, and custom logs).
Command Line ( Panorama role only ) Select the type of role for CLI access: None —(Default) Access to the Panorama CLI not permitted. superuser —Full access to Panorama. superreader —Read-only access to Panorama. panorama-admin —Full access to Panorama except for the following actions: Create, modify, or delete Panorama administrators and roles. Export, validate, revert, save, load, or import a configuration. Schedule configuration exports.

Related Documentation