A role defines the type of access that
an administrator has to the firewall. The Administrator Types are:
—Custom roles you can configure for more
granular access control over the functional areas of the web interface,
CLI, and XML API. For example, you can create an Admin Role profile
for your operations staff that provides access to the firewall and
network configuration areas of the web interface and a separate
profile for your security administrators that provides access to
security policy definitions, logs, and reports. On a firewall with
multiple virtual systems, you can select whether the role defines
access for all virtual systems or specific virtual systems. When
new features are added to the product, you must update the roles
with corresponding access privileges: the firewall does not automatically
add new features to custom role definitions. For details on the
privileges you can configure for custom administrator roles, see Reference:
Web Interface Administrator Access.
—Built-in roles that provide access to the
firewall. When new features are added, the firewall automatically
updates the definitions of dynamic roles; you never need to manually
update them. The following table lists the access privileges associated
with dynamic roles.
Full access to the firewall, including defining
new administrator accounts and virtual systems. You must have Superuser
privileges to create an administrative user with Superuser privileges.
Read-only access to the firewall (enables the XML API in a read-only
Full access to all firewall settings except
for defining new accounts or virtual systems.
Device administrator (read-only)
Read-only access to all firewall settings
except password profiles (no access) and administrator accounts
(only the logged in account is visible).
Virtual system administrator
Access to selected virtual systems on the
firewall to create and manage specific aspects of virtual systems.
A virtual system administrator doesn’t have access to network interfaces,
VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels,
DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Virtual system administrator (read-only)
Read-only access to selected virtual systems
on the firewall and specific aspects of virtual systems. A virtual system
administrator with read-only access doesn’t have access to network
interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels,
GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.