Administrative Roles
You configure administrator accounts based on the security
requirements of your organization, any existing authentication services
that your network uses, and the required administrative roles. A role defines
the type of system access that is available to an administrator.
You can define and restrict access as broadly or granularly as required,
depending on the security requirements of your organization. For example,
you might decide that a data center administrator can have access
to all device and networking configurations, but a security administrator
can control only security policy definitions, while other key individuals
can have limited CLI or XML API access. The role types are:
- Dynamic Roles—These are built-in roles that provide access to Panorama and managed firewalls. When new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles.
Dynamic Role | Privileges |
---|---|
Superuser | Full read-write access to Panorama |
Superuser (read-only) | Read-only access to Panorama |
Panorama administrator | Full access to Panorama except for the following
actions:
|
- Admin Role Profiles—To provide more granular access control over the functional areas of the web interface, CLI, and XML API, you can create custom roles. When new features are added to the product, you must update the roles with corresponding access privileges: Panorama does not automatically add new features to custom role definitions. You select one of the following profile types when you Configure an Admin Role Profile.
Admin Role Profile | Description |
---|---|
Panorama | For these roles, you can assign read-write
access, read-only access, or no access to all the Panorama features
that are available to the superuser dynamic role except the management
of Panorama administrators and Panorama roles. For the latter two
features, you can assign read-only access or no access, but you
cannot assign read-write access. An example use of a Panorama
role would be for security administrators who require access to
security policy definitions, logs, and reports on Panorama. |
Device Group and Template | For these roles, you can assign read-write
access, read-only access, or no access to specific functional areas
within device groups, templates, and firewall contexts. By combining
these roles with Access Domains, you can enforce the separation of information among the functional
or regional areas of your organization. Device Group and Template
roles have the following limitations:
An example
use of this role would be for administrators in your operations staff
who require access to the device and network configuration areas
of the web interface for specific device groups and/or templates. |
Recommended For You
Recommended Videos
Recommended videos not found.