Access domains control administrative access to specific Device
Groups and templates,
and also control the ability to switch context to
the web interface of managed firewalls. Access domains apply only
to administrators with Device Group and Template roles. Mapping Administrative
Roles to access domains enables very granular control over
the information that administrators access on Panorama. For example,
consider a scenario where you configure an access domain that includes
all the device groups for firewalls in your data centers and you assign
that access domain to an administrator who is allowed to monitor
data center traffic but who is not allowed to configure the firewalls.
In this case, you would map the access domain to a role that enables
all monitoring privileges but disables access to device group settings.
Additionally, Device Group and Template admins can perform administrative
tasks for managed firewalls in their access domain such as viewing
the configuration and system logs, perform configuration audits,
review pending tasks, and directly access firewall operations such
as reboot, generating a tech support file, executing a stats dump,
and exporting a core file.
You configure access domains in the local Panorama configuration
and then assign them to administrative accounts and roles. You can
perform the assignment locally or use an external SAML, TACACS+, or RADIUS server. Using an external server
enables you to quickly reassign access domains through your directory
service instead of reconfiguring settings on Panorama. To use an
external server, you must define a server profile that enables Panorama
to access the server. You must also define Vendor-Specific Attributes
(VSAs) on the RADIUS or TACACS+ server, or SAML attributes on the
SAML IdP server.
For example, if you use a RADIUS server, you would define a VSA
number and value for each administrator. The value defined has to
match the access domain configured on Panorama. When an administrator
tries to log in to Panorama, Panorama queries the RADIUS server
for the administrator access domain and attribute number. Based
on the response from the RADIUS server, the administrator is authorized
for access and is restricted to the firewalls, virtual systems,
device groups, and templates that are assigned to the access domain.