Admins and Role-Based Access Control - PCNSA
This is published as part of a series on obtaining the PCNSA certification.
Firewall administrators are defined via Panorama (central management) or locally on the firewall. But not everyone should have cart-blanche access.
Role-based access control can limit the type of changes a firewall administrator can perform.
Authentication Methods
The most common method is to define an administrator using local authentication.
To add a firewall administrative account, navigate to Device > Administrators and click on Add.
Specify a name for the account and password.
There are a few optional items such as the Authentication Profile and the Administrator Type, either Dynamic or Role Based.
An Authentication Profile is used with other authentication services.
The Administrator Type specifies a role. Dynamic includes built-in roles which include:
| Dynamic Role | Privileges |
|---|---|
| Superuser | Full access to the firewall |
| Superuser (read-only) | Read-only access |
| Device Administrator | Full access to the firewall except creating new accounts and virtual systems |
| Device Administrator (read-only) | Read-only access to all firewall settings except password profiles and administrator accounts. |
Role Based will include custom roles that you configure. This allows you to create more granular control over certain settings. This would be configured under Device > Admin Roles
For example, I can create an Admin Role called analyst which will have access to the Monitor Logs only.
