Administrative Roles

You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required administrative roles. A role defines the type of system access that is available to an administrator. You can define and restrict access as broadly or granularly as required, depending on the security requirements of your organization. For example, you might decide that a data center administrator can have access to all device and networking configurations, but a security administrator can control only security policy definitions, while other key individuals can have limited CLI or XML API access. The role types are:

Dynamic Roles
—These are built-in roles that provide access to Panorama and managed firewalls. When new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles.

Dynamic Role	Privileges
Superuser	Full read-write access to Panorama
Superuser (read-only)	Read-only access to Panorama
Panorama administrator	Full access to Panorama except for the following actions: Create, modify, or delete Panorama or firewall administrators and roles. Export, validate, revert, save, load, or import a configuration in the Device Setup Operations page. Configure Scheduled Config Export functionality in the Panorama tab.

Admin Role Profiles
—To provide more granular access control over the functional areas of the web interface, CLI, and XML API, you can create custom roles. When new features are added to the product, you must update the roles with corresponding access privileges: Panorama does not automatically add new features to custom role definitions. You select one of the following profile types when you Configure an Admin Role Profile.

Admin Role Profile	Description
Panorama	For these roles, you can assign read-write access, read-only access, or no access to all the Panorama features that are available to the superuser dynamic role except the management of Panorama administrators and Panorama roles. For the latter two features, you can assign read-only access or no access, but you cannot assign read-write access. An example use of a Panorama role would be for security administrators who require access to security policy definitions, logs, and reports on Panorama.
Device Group and Template	For these roles, you can assign read-write access, read-only access, or no access to specific functional areas within device groups, templates, and firewall contexts. By combining these roles with Access Domains, you can enforce the separation of information among the functional or regional areas of your organization. Device Group and Template roles have the following limitations: No access to the CLI or XML API No access to configuration or system logs No access to VM information sources In the Panorama tab, access is limited to: Device deployment features (read-write, read-only, or no access) The device groups specified in the administrator account (read-write, read-only, or no access) The templates and managed firewalls specified in the administrator account (read-only or no access) An example use of this role would be for administrators in your operations staff who require access to the device and network configuration areas of the web interface for specific device groups and/or templates.

Admin Role Profile

Description

Panorama

For these roles, you can assign read-write access, read-only access, or no access to all the Panorama features that are available to the superuser dynamic role except the management of Panorama administrators and Panorama roles. For the latter two features, you can assign read-only access or no access, but you cannot assign read-write access.

An example use of a Panorama role would be for security administrators who require access to security policy definitions, logs, and reports on Panorama.

Device Group and Template

For these roles, you can assign read-write access, read-only access, or no access to specific functional areas within device groups, templates, and firewall contexts. By combining these roles with Access Domains, you can enforce the separation of information among the functional or regional areas of your organization. Device Group and Template roles have the following limitations:

No access to the CLI or XML API

No access to configuration or system logs

No access to VM information sources

In the

Panorama

tab, access is limited to:

Device deployment features (read-write, read-only, or no access)

The device groups specified in the administrator account (read-write, read-only, or no access)

The templates and managed firewalls specified in the administrator account (read-only or no access)

An example use of this role would be for administrators in your operations staff who require access to the device and network configuration areas of the web interface for specific device groups and/or templates.

Document:Panorama Administrator's Guide

Administrative Roles

Administrative Roles

Recommended For You

Document:Panorama Administrator's Guide

Administrative Roles

Administrative Roles

Recommended For You

Recommended Videos