Role-based access control (RBAC) enables you to define
the privileges and responsibilities of administrative users (administrators).
Every administrator must have a user account that specifies a role
and authentication method. Administrative Roles define access to specific configuration settings, logs, and reports
within Panorama and firewall contexts. For Device Group and Template
administrators, you can map roles to Access Domains, which define access to specific device groups, templates, and
firewalls (through context switching). By combining each access
domain with a role, you can enforce the separation of information
among the functional or regional areas of your organization. For
example, you can limit an administrator to monitoring activities
for data center firewalls but allow that administrator to set policies
for test lab firewalls. By default, every Panorama appliance (virtual
appliance or M-Series appliance) has a predefined administrative
account (admin) that provides full read-write access (superuser access)
to all functional areas and to all device groups, templates, and
firewalls. For each administrator, you can define an authentication
profile that determines how Panorama verifies user access credentials.
Instead of using the default account
for all administrators, it is a best practice to create a separate
administrative account for each person who needs access to the administrative
or reporting functions on Panorama. This provides better protection
against unauthorized configuration changes and enables Panorama
to log and identify the actions of each administrator.