Administrative Roles
A role defines the type of access that an administrator has to the firewall.
Administrative Role Types
The role types are:
Dynamic Roles —These are built-in roles that provide access to the firewall. When new features are added, the firewall automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles.
Dynamic Role Privileges
Superuser Full access to the firewall, including defining new administrator accounts and virtual systems. You must have superuser privileges to create an administrative user with superuser privileges.
Superuser (read-only) Read-only access to the firewall.
Virtual system administrator Full access to a selected virtual system (vsys) on the firewall.
Virtual system administrator (read-only) Read-only access to a selected vsys on the firewall.
Device administrator Full access to all firewall settings except for defining new accounts or virtual systems.
Device administrator (read-only) Read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
Admin Role Profiles —Custom roles you can configure for more granular access control over the functional areas of the web interface, CLI, and XML API. For example, you can create an Admin Role profile for your operations staff that provides access to the firewall and network configuration areas of the web interface and a separate profile for your security administrators that provides access to security policy definitions, logs, and reports. On a multi-vsys firewall, you can select whether the role defines access for all virtual systems or for a specific vsys. When new features are added to the product, you must update the roles with corresponding access privileges: the firewall does not automatically add new features to custom role definitions. For details on the privileges you can configure for custom administrator roles, see Reference: Web Interface Administrator Access.
Configure an Admin Role Profile
Admin Role profiles enable you to define granular administrative access privileges to ensure protection for sensitive company information and privacy for end users.
As a best practice, create Admin Role profiles that allow administrators to access only the areas of the management interfaces that they need to access to perform their jobs.
Configure an Admin Role Profile
Select Device > Admin Roles and click Add.
Enter a Name to identify the role.
For the scope of the Role, select Device or Virtual System.
In the Web UI and XML API tabs, click the icon for each functional area to toggle it to the desired setting: Enable, Read Only, or Disable. For details on the Web UI options, see Web Interface Access Privileges.
Select the Command Line tab and select a CLI access option. The Role scope controls the available options: Device role— superuser, superreader, deviceadmin, devicereader, or None Virtual System role— vsysadmin, vsysreader, or None
Click OK to save the profile.
Assign the role to an administrator. See Configure an Administrative Account.

Related Documentation