Admin Role profiles are custom Administrative Roles that enable you to define granular administrative access privileges to ensure protection for sensitive company information and privacy for end users. As a best practice, create Admin Role profiles that allow administrators to access only the areas of the management interfaces required to perform their jobs.
Configure an Admin Role Profile
Select Panorama > Admin Roles and click Add.
Enter a Name for the profile and select the Role type: Panorama or Device Group and Template.
Configure access privileges to each functional area of Panorama ( Web UI) and firewalls ( Context Switch UI) by toggling the icons to the desired setting: Enable (read-write), Read Only, or Disable. If administrators with custom roles will commit device group or template changes to managed firewalls, you must give those roles read-write access to Panorama > Device Groups and Panorama > Templates. If you upgrade from an earlier Panorama version, the upgrade process provides read-only access to those nodes. You cannot manage access to the firewall CLI or XML API through context-switching privileges in Panorama roles.
If the Role type is Panorama, configure access to the XML API by toggling the Enabled/Disabled icon for each functional area.
If the Role type is Panorama, select an access level for the Command Line interface: None (default), superuser, superreader, or panorama-admin.
Click OK to save the profile.

Related Documentation