Configure an Admin Role Profile

Admin Role profiles enable you to define granular administrative access privileges to ensure protection for sensitive company information and privacy for end users.

Follow the principle of least privilege access to create Admin Role profiles that enable administrators to access only the areas of the management interface that they need to access to perform their jobs and follow Administrative Access Best Practices.

Steps to Configure an Admin Role Profile:

1. Navigate to Device > Admin Roles and click Add .
2. Enter a Name to identify the role.
3. For the scope of the Role, select Device or Virtual System .
4. In the Web UI and REST API tabs, click the icon for each functional area to toggle it to the desired setting: Enable , Read Only , or Disable . For the XML API tab, select Enable or Disable .
5. Select the Command Line tab and choose a CLI access option based on the Role scope:
   • Device role:
     • None — CLI access is not permitted (default).
     • superuser — Full access, including defining new administrator accounts and virtual systems.
     • superreader — Full read-only access.
     • deviceadmin — Full access to all settings except defining new accounts or virtual systems.
     • devicereader — Read-only access to all settings except password profiles and administrator accounts.
   • Virtual System role:
     • None — Access is not permitted (default).
     • vsysadmin — Access to specific virtual systems to create and manage specific aspects of virtual systems.
     • vsysreader — Read-only access to specific virtual systems.
6. Click OK to save the profile.
7. Assign the role to an administrator. See Configure a Firewall Administrator Account .

Example: SOC Manager Admin Role Profile

This example shows an Admin Role profile for a Security Operations Center (SOC) manager who needs access to investigate potential issues. The SOC Manager needs read access to many areas of the firewall but generally doesn’t need write access.

• Dashboard, ACC, and Monitor Logs: Enable (read-only) — These areas are informational and essential for investigations.
• Policies: Read-only — Allows the SOC Manager to view policy configurations without making changes.
• Network: Read-only — Provides visibility into network configurations necessary for investigations.
• PDF Reports and Custom Reports: Enable — SOC Manager needs access to generate and view reports.
• Configuration: Disable — SOC Manager does not require access to make configuration changes.

Configure Admin Role profiles for your administrators based on the functions they manage and the access required to do their job. Do not enable unnecessary access. Create separate profiles for each administrative group that shares the same duties and for administrators who have unique duties.

Important Notes:

• If the Admin Role Profile is based on Virtual System , that administrator won't have control over a virtual router. Only a subset of the Network options are available in a Virtual System role, and virtual router isn't one of the included options. If you want virtual router available in an Admin Role Profile, the role must be Device , not Virtual System.
• You can create multiple Admin Role Profiles and assign them to different administrators based on their responsibilities.
• The MGT interface can have role-based access; it doesn't strictly provide full access to the device. The login account (Admin Role) is what gives a user rights or limited access to the objects, not the MGT interface.

References

• Configure an Admin Role Profile
• Administrative Authentication
• Configure an Authentication Profile and Sequence
• Configure Administrative Accounts and Authentication
• View Logs and Audit Trails
• Configure Administrative Access to the Firewall