Administrative Roles

You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required administrative roles. A
role
defines the type of system access that is available to an administrator. You can define and restrict access as broadly or granularly as required, depending on the security requirements of your organization. For example, you might decide that a data center administrator can have access to all device and networking configurations, but a security administrator can control only security policy definitions, while other key individuals can have limited CLI or XML API access. The role types are:
  • Dynamic Roles
    —These are built-in roles that provide access to Panorama and managed firewalls. When new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles.
Dynamic Role
Privileges
Superuser
Full read-write access to Panorama
Superuser (read-only)
Read-only access to Panorama
Panorama administrator
Full access to Panorama except for the following actions:
  • Create, modify, or delete Panorama or firewall administrators and roles.
  • Export, validate, revert, save, load, or import a configuration in the
    Device
    Setup
    Operations
    page.
  • Configure
    Scheduled Config Export
    functionality in the
    Panorama
    tab.
  • Admin Role Profiles
    —To provide more granular access control over the functional areas of the web interface, CLI, and XML API, you can create custom roles. When new features are added to the product, you must update the roles with corresponding access privileges: Panorama does not automatically add new features to custom role definitions. You select one of the following profile types when you Configure an Admin Role Profile.
Admin Role Profile
Description
Panorama
For these roles, you can assign read-write access, read-only access, or no access to all the Panorama features that are available to the superuser dynamic role except the management of Panorama administrators and Panorama roles. For the latter two features, you can assign read-only access or no access, but you cannot assign read-write access.
An example use of a Panorama role would be for security administrators who require access to security policy definitions, logs, and reports on Panorama.
Device Group and Template
For these roles, you can assign read-write access, read-only access, or no access to specific functional areas within device groups, templates, and firewall contexts. By combining these roles with Access Domains, you can enforce the separation of information among the functional or regional areas of your organization. Device Group and Template roles have the following limitations:
  • No access to the CLI or XML API
  • No access to configuration or system logs
  • No access to VM information sources
  • In the
    Panorama
    tab, access is limited to:
    • Device deployment features (read-write, read-only, or no access)
    • The device groups specified in the administrator account (read-write, read-only, or no access)
    • The templates and managed firewalls specified in the administrator account (read-only or no access)
An example use of this role would be for administrators in your operations staff who require access to the device and network configuration areas of the web interface for specific device groups and/or templates.

Related Documentation