The custom Panorama administrator roles allow you to
define access to the options on Panorama and the ability to only
allow access to Device Groups and Templates (Policies, Objects, Network, Device tabs).
The administrator roles you can create are Panorama and Device
Group and Template. You can’t assign CLI access privileges
to a Device Group and Template Admin Role
profile. If you assign superuser privileges for the CLI to a Panorama Admin
Role profile, administrators with that role can access all features
regardless of the web interface privileges you assign.
Access Level
Description
Enable
Read Only
Disable
Dashboard
Controls access to the Dashboard tab.
If you disable this privilege, the administrator will not see the
tab and will not have access to any of the Dashboard widgets.
Yes
No
Yes
ACC
Controls access to the Application Command
Center (ACC). If you disable this privilege, the ACC tab
will not display in the web interface. Keep in mind that if you want
to protect the privacy of your users while still providing access
to the ACC, you can disable the PrivacyShow Full IP Addresses option
and/or the Show User Names In Logs And Reports option.
Yes
No
Yes
Monitor
Controls access to the Monitor tab.
If you disable this privilege, the administrator will not see the Monitor tab
and will not have access to any of the logs, packet captures, session
information, reports or to App Scope. For more granular control
over what monitoring information the administrator can see, leave
the Monitor option enabled and then enable or disable specific nodes on
the tab as described in Provide
Granular Access to the Monitor Tab.
Yes
No
Yes
Policies
Controls access to the Policies tab.
If you disable this privilege, the administrator will not see the Policies tab
and will not have access to any policy information. For more granular
control over what policy information the administrator can see,
for example to enable access to a specific type of policy or to
enable read-only access to policy information, leave the Policies option
enabled and then enable or disable specific nodes on the tab as
described in Provide
Granular Access to the Policy Tab.
Yes
No
Yes
Objects
Controls access to the Objects tab.
If you disable this privilege, the administrator will not see the Objects tab
and will not have access to any objects, security profiles, log forwarding
profiles, decryption profiles, or schedules. For more granular control
over what objects the administrator can see, leave the Objects option
enabled and then enable or disable specific nodes on the tab as
described in Provide
Granular Access to the Objects Tab.
Yes
No
Yes
Network
Controls access to the Network tab.
If you disable this privilege, the administrator will not see the Network tab
and will not have access to any interface, zone, VLAN, virtual wire,
virtual router, IPsec tunnel, DHCP, DNS Proxy, GlobalProtect, or
QoS configuration information or to the network profiles. For more
granular control over what objects the administrator can see, leave
the Network option enabled and then enable
or disable specific nodes on the tab as described in Provide
Granular Access to the Network Tab.
Yes
No
Yes
Device
Controls access to the Device tab.
If you disable this privilege, the administrator will not see the Device tab
and will not have access to any firewall-wide configuration information,
such as User-ID, High Availability, server profile or certificate configuration
information. For more granular control over what objects the administrator
can see, leave the Device option enabled
and then enable or disable specific nodes on the tab as described
in Provide
Granular Access to the Device Tab.
You can’t
enable access to the Admin Roles or Administrators nodes
for a role-based administrator even if you enable full access to
the Device tab.
Yes
No
Yes
Panorama
Controls access to the Panorama tab.
If you disable this privilege, the administrator will not see the Panorama tab
and will not have access to any Panorama-wide configuration information,
such as Managed Devices, Managed Collectors, or Collector Groups.
For
more granular control over what objects the administrator can see,
leave the Panorama option enabled and then
enable or disable specific nodes on the tab as described in Provide
Granular Access to the Panorama Tab.
When disabled, an administrator cannot validate
a configuration.
Yes
No
Yes
Save
Sets the default state (enabled or disabled) for
all the save privileges described below (Partial Save and Save For
Other Admins).
Yes
No
Yes
Partial Save
When disabled, an administrator cannot save
changes that any administrator made to the Panorama configuration.
Yes
No
Yes
Save For Other Admins
When disabled, an administrator cannot save
changes that other administrators made to the Panorama configuration.
Yes
No
Yes
Commit
Sets the default state (enabled or disabled) for
all the commit, push, and revert privileges described below (Panorama, Device
Groups, Templates, Force Template Values, Collector Groups, WildFire Appliance
Clusters).
Yes
No
Yes
Panorama
When disabled, an administrator cannot commit
or revert configuration changes that any administrators made, including
his or her own changes.
Yes
No
Yes
Commit for Other Admins
When disabled, an administrator cannot commit
or revert configuration changes that other administrators made.
Yes
No
Yes
Device Groups
When disabled, an administrator cannot push
changes to device groups.
Yes
No
Yes
Templates
When disabled, an administrator cannot push
changes to templates.
Yes
No
Yes
Force Template Values
This privilege controls access to the Force Template
Values option in the Push Scope Selection dialog.
When
disabled, an administrator cannot replace overridden settings in
local firewall configurations with settings that Panorama pushes
from a template.
If you push a configuration
with Force Template Values enabled, all overridden
values on the firewall are replaced with values from the template.
Before you use this option, check for overridden values on the firewalls
to ensure your commit does not result in any unexpected network outages
or issues caused by replacing those overridden values.
Yes
No
Yes
Collector Groups
When disabled, an administrator cannot push
changes to Collector Groups.
Yes
No
Yes
WildFire Appliance Clusters
When disabled, an administrator cannot push
changes to WildFire appliance clusters.
Yes
No
Yes
Tasks
When disabled, an administrator cannot access
the Task Manager.
