You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required administrative roles. A role defines the type of system access that is available to an administrator. You can define and restrict access as broadly or granularly as required, depending on the security requirements of your organization. For example, you might decide that a data center administrator can have access to all device and networking configurations, but a security administrator can control only security policy definitions, while other key individuals can have limited CLI or XML API access. The role types are:
- Dynamic Roles—These are built-in roles that provide access to Panorama and managed firewalls. When new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles.
Full read-write access to Panorama
Read-only access to Panorama
Full access to Panorama except for the following actions:
- Admin Role Profiles—To provide more granular access control over the functional areas of the web interface, CLI, and XML API, you can create custom roles. When new features are added to the product, you must update the roles with corresponding access privileges: Panorama does not automatically add new features to custom role definitions. You select one of the following profile types when you Configure an Admin Role Profile.
Admin Role Profile
For these roles, you can assign read-write access, read-only access, or no access to all the Panorama features that are available to the superuser dynamic role except the management of Panorama administrators and Panorama roles. For the latter two features, you can assign read-only access or no access, but you cannot assign read-write access.
An example use of a Panorama role would be for security administrators who require access to security policy definitions, logs, and reports on Panorama.
Device Group and Template
For these roles, you can assign read-write access, read-only access, or no access to specific functional areas within device groups, templates, and firewall contexts. By combining these roles with Access Domains, you can enforce the separation of information among the functional or regional areas of your organization. Device Group and Template roles have the following limitations:
An example use of this role would be for administrators in your operations staff who require access to the device and network configuration areas of the web interface for specific device groups and/or templates.
Administrative Role Types
Administrative Role Types A role defines the type of access that an administrator has to the firewall. The Administrator Types are: Role Based —Custom roles ...
Panorama > Administrators
Panorama > Administrators Select Panorama Administrators to create and manage accounts for Panorama administrators. If you log in to Panorama as an administrator with a ...
Configure an Admin Role Profile
Configure an Admin Role Profile Admin Role profiles are custom Administrative Roles that enable you to define granular administrative access privileges to ensure protection for ...
Administrative Privileges Privilege levels determine which commands an administrator can run as well as what information is viewable. Each administrative role has an associated privilege ...
Device > Admin Roles
Device > Admin Roles Select Device Admin Roles to define Admin Role profiles, which are custom roles that determine the access privileges and responsibilities of ...
Role-Based Access Control
Role-Based Access Control Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user ...
Panorama > Admin Roles
Panorama > Admin Roles Admin Role profiles are custom roles that define the access privileges and responsibilities of administrators. For example, the roles assigned to ...
Reference: Web Interface Administrator Access
Reference: Web Interface Administrator Access You can configure privileges for an entire firewall or for one or more virtual systems (on platforms that support multiple ...
Provide Granular Access to the Monitor Tab
Provide Granular Access to the Monitor Tab In some cases you might want to enable the administrator to view some but not all areas of ...