Provide Granular Access to the Objects Tab

An object is a container that groups specific policy filter values—such as IP addresses, URLs, applications, or services—for simplified rule definition. For example, an address object might contain specific IP address definitions for the web and application servers in your DMZ zone.
When deciding whether to allow access to the objects tab as a whole, determine whether the administrator will have policy definition responsibilities. If not, the administrator probably does not need access to the tab. If, however, the administrator will need to create policy, you can enable access to the tab and then provide granular access privileges at the node level.
By enabling access to a specific node, you give the administrator the privilege to view, add, and delete the corresponding object type. Giving read-only access allows the administrator to view the already defined objects, but not create or delete any. Disabling a node prevents the administrator from seeing the node in the web interface.
Access Level
Description
Enable
Read Only
Disable
Addresses
Specifies whether the administrator can view, add, or delete address objects for use in security policy.
Yes
Yes
Yes
Address Groups
Specifies whether the administrator can view, add, or delete address group objects for use in security policy.
Yes
Yes
Yes
Regions
Specifies whether the administrator can view, add, or delete regions objects for use in security, decryption, or DoS policy.
Yes
Yes
Yes
Applications
Specifies whether the administrator can view, add, or delete application objects for use in policy.
Yes
Yes
Yes
Application Groups
Specifies whether the administrator can view, add, or delete application group objects for use in policy.
Yes
Yes
Yes
Application Filters
Specifies whether the administrator can view, add, or delete application filters for simplification of repeated searches.
Yes
Yes
Yes
Services
Specifies whether the administrator can view, add, or delete service objects for use in creating policy rules that limit the port numbers an application can use.
Yes
Yes
Yes
Service Groups
Specifies whether the administrator can view, add, or delete service group objects for use in security policy.
Yes
Yes
Yes
Tags
Specifies whether the administrator can view, add, or delete tags that have been defined on the firewall.
Yes
Yes
Yes
GlobalProtect
Specifies whether the administrator can view, add, or delete HIP objects and profiles. You can restrict access to both types of objects at the GlobalProtect level, or provide more granular control by enabling the GlobalProtect privilege and restricting HIP Object or HIP Profile access.
Yes
No
Yes
HIP Objects
Specifies whether the administrator can view, add, or delete HIP objects, which are used to define HIP profiles. HIP Objects also generate HIP Match logs.
Yes
Yes
Yes
Clientless Apps
Specifies whether the administrator can view, add, modify, or delete GlobalProtect VPN Clientless applications.
Yes
Yes
Yes
Clientless App Groups
Specifies whether the administrator can view, add, modify, or delete GlobalProtect VPN Clientless application groups.
Yes
Yes
Yes
HIP Profiles
Specifies whether the administrator can view, add, or delete HIP Profiles for use in security policy and/or for generating HIP Match logs.
Yes
Yes
Yes
External Dynamic Lists
Specifies whether the administrator can view, add, or delete external dynamic lists for use in security policy.
Yes
Yes
Yes
Custom Objects
Specifies whether the administrator can see the custom spyware and vulnerability signatures. You can restrict access to either enable or disable access to all custom signatures at this level, or provide more granular control by enabling the Custom Objects privilege and then restricting access to each type of signature.
Yes
No
Yes
Data Patterns
Specifies whether the administrator can view, add, or delete custom data pattern signatures for use in creating custom Vulnerability Protection profiles.
Yes
Yes
Yes
Spyware
Specifies whether the administrator can view, add, or delete custom spyware signatures for use in creating custom Vulnerability Protection profiles.
Yes
Yes
Yes
Vulnerability
Specifies whether the administrator can view, add, or delete custom vulnerability signatures for use in creating custom Vulnerability Protection profiles.
Yes
Yes
Yes
URL Category
Specifies whether the administrator can view, add, or delete custom URL categories for use in policy.
Yes
Yes
Yes
Security Profiles
Specifies whether the administrator can see security profiles. You can restrict access to either enable or disable access to all security profiles at this level, or provide more granular control by enabling the Security Profiles privilege and then restricting access to each type of profile.
Yes
No
Yes
Antivirus
Specifies whether the administrator can view, add, or delete antivirus profiles.
Yes
Yes
Yes
Anti-Spyware
Specifies whether the administrator can view, add, or delete Anti-Spyware profiles.
Yes
Yes
Yes
Vulnerability Protection
Specifies whether the administrator can view, add, or delete Vulnerability Protection profiles.
Yes
Yes
Yes
URL Filtering
Specifies whether the administrator can view, add, or delete URL filtering profiles.
Yes
Yes
Yes
File Blocking
Specifies whether the administrator can view, add, or delete file blocking profiles.
Yes
Yes
Yes
WildFire Analysis
Specifies whether the administrator can view, add, or delete WildFire analysis profiles.
Yes
Yes
Yes
Data Filtering
Specifies whether the administrator can view, add, or delete data filtering profiles.
Yes
Yes
Yes
DoS Protection
Specifies whether the administrator can view, add, or delete DoS protection profiles.
Yes
Yes
Yes
GTP Protection
Specifies whether the mobile network operator can view, add, or delete GTP Protection profiles.
Yes
Yes
Yes
SCTP Protection
Specifies whether the mobile network operator can view, add, or delete Stream Control Transmission Protocol (SCTP) Protection profiles.
Yes
Yes
Yes
Security Profile Groups
Specifies whether the administrator can view, add, or delete security profile groups.
Yes
Yes
Yes
Log Forwarding
Specifies whether the administrator can view, add, or delete log forwarding profiles.
Yes
Yes
Yes
Authentication
Specifies whether the administrator can view, add, or delete authentication enforcement objects.
Yes
Yes
Yes
Decryption Profile
Specifies whether the administrator can view, add, or delete decryption profiles.
Yes
Yes
Yes
Schedules
Specifies whether the administrator can view, add, or delete schedules for limiting a security policy to a specific date and/or time range.
Yes
Yes
Yes

Related Documentation