Reference: Web Interface Administrator Access
You can configure privileges for an entire firewall or for one or more virtual systems (on platforms that support multiple virtual systems). Within that Device or Virtual System designation, you can configure privileges for custom administrator roles, which are more granular than the fixed privileges associated with a dynamic administrator role.
Configuring privileges at a granular level ensures that lower level administrators cannot access certain information. You can create custom roles for firewall administrators (see Configure an Administrative Account), Panorama administrators, or Device Group and Template administrators (refer to the Panorama Administrator’s Guide). You apply the admin role to a custom role-based administrator account where you can assign one or more virtual systems. The following topics describe the privileges you can configure for custom administrator roles.

Related Documentation