Dashboard

Controls access to the Dashboard tab. If you disable this privilege, the administrator will not see the tab and will not have access to any of the Dashboard widgets.

Yes

No

ACC

Controls access to the Application Command Center (ACC). If you disable this privilege, the ACC tab will not display in the web interface. Keep in mind that if you want to protect the privacy of your users while still providing access to the ACC, you can disable the PrivacyShow Full IP Addresses option and/or the Show User Names In Logs And Reports option.

Yes

No

Monitor

Controls access to the Monitor tab. If you disable this privilege, the administrator will not see the Monitor tab and will not have access to any of the logs, packet captures, session information, reports or to App Scope. For more granular control over what monitoring information the administrator can see, leave the Monitor option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Monitor Tab.

Yes

No

Policies

Controls access to the Policies tab. If you disable this privilege, the administrator will not see the Policies tab and will not have access to any policy information. For more granular control over what policy information the administrator can see, for example to enable access to a specific type of policy or to enable read-only access to policy information, leave the Policies option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Policy Tab.

Yes

No

Objects

Controls access to the Objects tab. If you disable this privilege, the administrator will not see the Objects tab and will not have access to any objects, security profiles, log forwarding profiles, decryption profiles, or schedules. For more granular control over what objects the administrator can see, leave the Objects option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Objects Tab.

Yes

No

Network

Controls access to the Network tab. If you disable this privilege, the administrator will not see the Network tab and will not have access to any interface, zone, VLAN, virtual wire, virtual router, IPsec tunnel, DHCP, DNS Proxy, GlobalProtect, or QoS configuration information or to the network profiles. For more granular control over what objects the administrator can see, leave the Network option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Network Tab.

Yes

No

Device

Controls access to the Device tab. If you disable this privilege, the administrator will not see the Device tab and will not have access to any firewall-wide configuration information, such as User-ID, High Availability, server profile or certificate configuration information. For more granular control over what objects the administrator can see, leave the Device option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Device Tab.

Yes

No

Panorama

Controls access to the Panorama tab. If you disable this privilege, the administrator will not see the Panorama tab and will not have access to any Panorama-wide configuration information, such as Managed Devices, Managed Collectors, or Collector Groups.

For more granular control over what objects the administrator can see, leave the Panorama option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Panorama Tab.

Yes

No

Privacy

Controls access to the privacy settings described in Define User Privacy Settings in the Admin Role Profile.

Yes

No

Validate

When disabled, an administrator cannot validate a configuration.

Yes

No

Save

Sets the default state (enabled or disabled) for all the save privileges described below (Partial Save and Save For Other Admins).

Yes

No

When disabled, an administrator cannot save changes that any administrator made to the Panorama configuration.

Yes

No

When disabled, an administrator cannot save changes that other administrators made to the Panorama configuration.

Yes

No

Commit

Sets the default state (enabled or disabled) for all the commit, push, and revert privileges described below (Panorama, Device Groups, Templates, Force Template Values, Collector Groups, WildFire Appliance Clusters).

Yes

No

When disabled, an administrator cannot commit or revert configuration changes that any administrators made, including his or her own changes.

Yes

No

When disabled, an administrator cannot commit or revert configuration changes that other administrators made.

Yes

No

Device Groups

When disabled, an administrator cannot push changes to device groups.

Yes

No

Templates

When disabled, an administrator cannot push changes to templates.

Yes

No

Force Template Values

This privilege controls access to the Force Template Values option in the Push Scope Selection dialog.

When disabled, an administrator cannot replace overridden settings in local firewall configurations with settings that Panorama pushes from a template.

Yes

No

Collector Groups

When disabled, an administrator cannot push changes to Collector Groups.

Yes

No

WildFire Appliance Clusters

When disabled, an administrator cannot push changes to WildFire appliance clusters.

Yes

No

Tasks

When disabled, an administrator cannot access the Task Manager.

Yes

No