If you want to prevent a role-based administrator from accessing specific tabs on the web interface, you can disable the tab and the administrator will not even see it when logging in using the associated role-based administrative account. For example, you could create an Admin Role Profile for your operations staff that provides access to the Device and Network tabs only and a separate profile for your security administrators that provides access to the Object, Policy, and Monitor tabs.

An admin role can apply at the Device level or Virtual System level as defined by the Device or Virtual System radio button. If you select Virtual System, the admin assigned this profile is restricted to the virtual system(s) he or she is assigned to. Furthermore, only the DeviceSetupServicesVirtual Systems tab is available to that admin, not the Global tab.

The following topics describe how to set admin role privileges to the different parts of the web interface: