Access domains control
the access that Device Group and Template administrators have to
specific device groups (to manage policies and objects), to templates (to
manage network and device settings), and to the web interface of
managed firewalls (through context switching). You can define up
to 4,000 access domains and manage them locally or by using RADIUS Vendor-Specific Attributes (VSAs),
TACACS+ VSAs, or SAML attributes. To create an access domain,
domain and configure the settings as described in the following table.
Access Domain Settings
Enter a name for the access domain (up to
31 characters). The name is case-sensitive, must be unique, and
can contain only letters, numbers, hyphens, and underscores.
Select one of the following access privileges
for the objects that device groups in this access domain inherit
from the Shared location. Regardless of privilege, administrators
can’t override shared or default (predefined) objects.
can display and clone shared objects but cannot perform any other
operations on them. When adding non-shared objects or cloning shared objects,
the destination must be a device group within the access domain,
—Administrators can perform all
operations on shared objects. This is the default value.
—Administrators can add
objects only to Shared. Administrators can also display, edit, and
delete shared objects but cannot move or clone them. A consequence
of this selection is that administrators cannot perform any operations
on non-shared objects other than to display them.
Enable or disable read-write access for
specific device groups in the access domain. You can also click
read-write access for a device group automatically enables the same
access for its descendants. If you manually disable a descendant,
access for its highest ancestor automatically changes to read-only.
By default, access is disabled for all device groups.
want the list to display only specific device groups, select the
device group names and
you set the access for shared objects to
applies read-only access to any device groups for which you specify
For each template or template stack you
want to assign, click
and select it from
the Device/Virtual Systems column in the Access Domain page
Select the firewalls to which the administrator
can switch context for performing local configuration. If the list
is long, you can filter by