Admin Role profiles enable you to define granular
administrative access privileges to ensure protection for sensitive company
information and privacy for end users.
As
a best practice, create Admin Role profiles that allow administrators
to access only the areas of the management interfaces that they
need to access to perform their jobs.
You can create an Admin Role profile, specify that the role applies to Virtual
System, and then select Web UI, for example, and choose the part of the
configuration that the administrator can control within a virtual system. Click OK
to save the Admin Role Profile. Then select , name the role, select Role Based, enter the name of the Admin Role
Profile, and select the virtual system that the administrator can control. The MGT
interface doesn't give full access to the firewall; access is controlled by the
Admin Role.
If the Admin Role Profile is based on Virtual System, that administrator won't have
control over a virtual router. Only a subset of the Network options are available in
a Virtual System role, and virtual router isn't one of the included options. If you
want virtual router available in an Admin Role Profile, the role must be Device, not
Virtual System. (You can define a superuser Administrator to have both Virtual
System and Virtual Router access.)
You can create a second Admin Role Profile, specify that the role applies to Device,
and then select portions under Network, such as Virtual Routers. Name the Admin Role
Profile, and then apply it to a different administrator.
You might have different departments that have different functions. Based on the
login, the administrator gets the right to control the objects enabled in the Admin
Role Profile.
In summary, you can't define a Virtual System Admin Role profile that includes
routing (Virtual Router). You can create two accounts to have these separate roles
and assign them to two different users. An Administrator account can have only one
Admin Role profile.
The MGT interface can have role-based access; it doesn't strictly provide full access
to the device. The login account (Admin Role) is what gives a user rights or limited
access to the objects, not the MGT interface.