Administrative Role Types
A role defines the type of access that an administrator has to the firewall. The Administrator Types are:
- Role Based—Custom roles you can configure for more granular access control over the functional areas of the web interface, CLI, and XML API. For example, you can create an Admin Role profile for your operations staff that provides access to the firewall and network configuration areas of the web interface and a separate profile for your security administrators that provides access to security policy definitions, logs, and reports. On a firewall with multiple virtual systems, you can select whether the role defines access for all virtual systems or specific virtual systems. When new features are added to the product, you must update the roles with corresponding access privileges: the firewall does not automatically add new features to custom role definitions. For details on the privileges you can configure for custom administrator roles, see Reference: Web Interface Administrator Access.
- Dynamic—Built-in roles that provide access to the firewall. When new features are added, the firewall automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles.
Full access to the firewall, including defining new administrator accounts and virtual systems. You must have superuser privileges to create an administrative user with superuser privileges.
Read-only access to the firewall.
Virtual system administrator
Access to selected virtual systems on the firewall to create and manage specific aspects of virtual systems. A virtual system administrator doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Virtual system administrator (read-only)
Read-only access to selected virtual systems on the firewall and specific aspects of virtual systems. A virtual system administrator with read-only access doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Full access to all firewall settings except for defining new accounts or virtual systems.
Device administrator (read-only)
Read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
Administrative Privileges Privilege levels determine which commands an administrator can run as well as what information is viewable. Each administrative role has an associated privilege ...
Device > Administrators
Device > Administrators Administrator accounts control access to firewalls and Panorama. A firewall administrator can have full or read-only access to a single firewall or ...
Device > Admin Roles
Device > Admin Roles Select Device Admin Roles to define Admin Role profiles, which are custom roles that determine the access privileges and responsibilities of ...
Administrative Roles for Virtual Systems
Administrative Roles for Virtual Systems A superuser administrator can create virtual systems and add a Device Administrator , vsysadmin , or vsysreader . A Device ...
Administrative Roles You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required ...
Reference: Web Interface Administrator Access
Reference: Web Interface Administrator Access You can configure privileges for an entire firewall or for one or more virtual systems (on platforms that support multiple ...
Set Up a Firewall Administrative Account and Assign CLI Privileges
Set Up a Firewall Administrative Account and Assign CLI Privileges To set up a custom firewall administrative role and assign CLI privileges, use the following ...
Provide Granular Access to the Device Tab
Provide Granular Access to the Device Tab To define granular access privileges for the Device tab, when creating or editing an admin role profile ( ...
Panorama > Administrators
Panorama > Administrators Select Panorama Administrators to create and manage accounts for Panorama administrators. If you log in to Panorama as an administrator with a ...