Create Administrator Role elements

Administrator Role elements specify a restricted set of permissions that include the right to create, edit, and delete elements.

Each administrator can have several different Administrator Roles applied to different sets of elements. There are some default Administrator Roles, but if you want to customize the permissions in any way, you must create custom Administrator Role elements. The Administrator Role contains a fixed list of permissions that you can activate.

Important: Select only the minimum necessary permissions for each role. Administrators who are allowed to edit administrator accounts can freely give themselves any permissions.
CAUTION:
Changes made to an Administrator Role are applied immediately to every administrator account that uses the role (possibly including the account you are currently logged on with). Make sure that the permissions are correct before you apply changes to existing Administrator Roles.

If you change the permissions for existing administrator accounts, the administrators are notified that their permissions have changed the next time that they log on to the Management Client.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Administration.
  2. Right-click Access Rights and select New > Administrator Role or right-click an existing Administrator Role to edit and select Properties.
  3. (New Administrator Role only) In the Name field, enter a unique.
  4. Select the permissions that are applied to the elements selected for the role.
  5. Click OK.

Administrator Role Properties dialog box

Use this dialog box to change the properties of an Administrator Role.

Option Definition
Name The name of the element.
Comment

(Optional)

A comment for your own reference.
Permissions Specifies the permissions that are applied to elements selected the role.
All When selected, selects all permissions.
Element Rights for Granted Elements When selected, selects all element permissions.
Edit Element Properties

Allows editing the properties of elements.

CAUTION:
Administrators who have permissions to edit the properties of NGFW Engines can configure the Management Client to run arbitrary commands in the NGFW Engine operating system.
Delete Elements Allows deleting elements.
Approve Changes Allows approving changes for granted NGFW Engines. This permission is only valid when the Require Approval for Changes in NGFW Engine Configuration option is selected in the Global System Properties.
View Element Contents Allows viewing the contents of the elements.
Action Rights When selected, selects all action rights.
Create Elements Allows creating elements.
Refresh Policies Allows refreshing policies on engines if both the engines and the policies are selected for the role and the policies are allowed policies for the engines. It also allows creating and running Policy Refresh Tasks.
Send Commands Allows sending basic commands to the selected engines. Basic commands allow an administrator to turn engines online and offline, restart engines, and create and run sgInfo tasks and remote upgrade tasks.

If the role includes this permission and the permission to Browse Logs and Alerts from Granted Elements, the administrator can also terminate connections from the selected elements. The administrator can also browse and create block list entries for them.

Send Advanced Commands Allows sending advanced commands to the selected engines. Advanced commands allow an administrator to enable and disable SSH access to the engine command line, change an engine password, and take Traffic Captures.
Upload Policies Allows uploading policies on engines if both the engines and the policies are selected for the role and the policies are allowed policies for the engines. It also allows creating and running Policy Upload Task.
Browse Audit Logs Allows browsing logs about administrator actions and events.
Browse Logs and Alerts from Granted Elements Allows browsing logs from the selected elements and acknowledging alerts about them. If the role includes this permission and the permission to Send Commands, the administrator can terminate connections from the selected elements and browse and create block list entries for them.
Administrative Rights When selected, selects all administrative rights.
Manage Administrators Allows viewing and managing Administrator, Web Portal User, Administrator Role, and Access Control List elements.
Manage Internal and Directory Server Users Allows adding, removing, and editing users in the internal user database and external directory servers.
Manage Alerts Allows viewing and managing Alert, Alert Chain, and Alert Policy elements, and installing Alert Policies.
Manage Backups Allows viewing and managing backups, and creating and running Backup Tasks.
Manage Licenses Allows viewing, installing, binding, unbinding, and removing licenses.
Manage Logs Allows creating and running log data tasks (Export Log Tasks, Archive Log Tasks, and Delete Log Tasks).
Manage Log Pruning Allows pruning logs with Immediate Discard and Discard Before Storing filters.
Manage Reports Allows viewing and managing reports.
Manage Updates and Upgrades Allows downloading, importing, activating, and removing dynamic update packages. It also allows downloading, importing, and removing engine upgrades.
Manage VPNs Allows viewing and managing elements related to VPNs.
View System Alerts Allows browsing and acknowledging System Alerts, which are alerts about the internal operation of the system.
Manage Bookmarks Allows viewing and managing bookmarks in the Management Client.
Manage Overviews Allows viewing and managing Overview elements.
Description of Selected Permission Shows a description for each selected permission.