Configure Administrative Access Per Virtual System or Firewall
If you have a superuser administrative account, you can create and configure granular permissions for a vsysadmin or device admin role.
- Create an Admin Role Profile that grants or disables permission to an Administrator to configure or read-only various areas of the web interface.
- SelectandDeviceAdmin RolesAddanAdmin Role Profile.
- Enter aNameand optionalDescriptionof the profile.
- ForRole, specify which level of control the profile affects:
- Device—The profile allows the management of the global settings and any virtual systems.
- Virtual System—The profile allows the management of only the virtual system(s) assigned to the administrator(s) who have this profile. (The administrator will be able to access, but not theDeviceSetupServicesVirtual SystemsGlobaltab.)
- On theWeb UItab for the Admin Role Profile, scroll down toDevice, and leave the green check mark (Enable).
- UnderDevice, enableSetup. UnderSetup, enable the areas to which this profile will grant configuration permission to the administrator, as shown below. (The Read Only lock icon appears in the Enable/Disable rotation if Read Only is allowed for that setting.)
- Management—Allows an admin with this profile to configure settings on theManagementtab.
- Operations—Allows an admin with this profile to configure settings on theOperationstab.
- Services—Allows an admin with this profile to configure settings on theServicestab. An admin must haveServicesenabled in order to access thetab. If theDeviceSetup ServicesVirtual SystemsRolewas specified asVirtual Systemin the prior step,Servicesis the only setting that can be enabled under.DeviceSetup
- Content-ID—Allows an admin with this profile to configure settings on theContent-IDtab.
- WildFire—Allows an admin with this profile to configure settings on theWildFiretab.
- Session—Allows an admin with this profile to configure settings on theSessiontab.
- HSM—Allows an admin with this profile to configure settings on theHSMtab.
- (Optional) Repeat the entire step to create another Admin Role profile with different permissions, as necessary.
- Apply the Admin role profile to an administrator.
- Select, clickDeviceAdministratorsAddand enter theNameto add an Administrator.
- (Optional) Select anAuthentication Profile.
- (Optional) SelectUse only client certificate authentication (Web)to have bi-directional authentication; to get the server to authenticate the client.
- Enter aPasswordandConfirm Password.
- (Optional) SelectUse Public Key Authentication (SSH)if you want to use a much stronger, key-based authentication method using an SSH public key rather than just a password.
- ForAdministrator Type, selectRole Based.
- ForProfile, select the profile that you just created.
- (Optional) Select aPassword Profile.
- Commit the configuration.ClickCommit.
Web Interface Access Privileges
Web Interface Access Privileges If you want to prevent a role-based administrator from accessing specific tabs on the web interface, you can disable the tab ...
Enable API Access
Enable API Access The API supports the following types of Administrators and Admin roles: Dynamic roles: Superuser, Superuser (readonly), Device admin, Device admin (readonly), Vsys ...
Configure Local or External Authentication for Panorama Adm...
Configure Local or External Authentication for Panorama Administrators You can use an external authentication service or the service that is local to Panorama to authenticate ...
Configure a Firewall Administrator Account
Configure a Firewall Administrator Account Administrative accounts specify roles and authentication methods for firewall administrators. The service that you use to assign roles and perform ...
Provide Granular Access to the Device Tab
Provide Granular Access to the Device Tab To define granular access privileges for the Device tab, when creating or editing an admin role profile ( ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Set Up a Firewall Administrative Account and Assign CLI Pri...
Set Up a Firewall Administrative Account and Assign CLI Privileges To set up a custom firewall administrative role and assign CLI privileges, use the following ...
Panorama > Administrators
Panorama > Administrators Select Panorama Administrators to create and manage accounts for Panorama administrators. If you log in to Panorama as an administrator with a ...
Configure TACACS+ Authentication
Configure TACACS+ Authentication You can configure TACACS+ authentication for end users and firewall or Panorama administrators. You can also use a TACACS+ server to manage ...