Review the Before you start section for links to system security best practices. When you're ready, use +Add to set up a new Admin Role. You can use a template for the preset roles or create your own role by selecting Generic.
NOTE
An admin user cannot create a role that has more privileges than they currently have. The roles they can create can have only a subset of their current privileges.
Preset templates provide an easy way to configure access to pages such as the Dashboard, which work differently from other single function pages as they can contain Target Items. Unless the right privileges are configured, the admin will have only partial access to the information. In the case of the Dashboard the preset template provides the following privileges:
<View> privileges on <AdminMessage>
<CheckStatus> privileges on <Appliance>
<View> privileges on <SessionInfo>
<View> privileges on <TokenRecord> (for user-sign-ins)
<View> privileges on <RegisteredDevice>
<View> privileges on <User License>
Add Admin Role
To add an admin role, select +Add and complete the following fields:
Name. May only be alphanumeric with space, underscore, and dash.
Privileges. Privileges allow specific rights to be assigned to an Admin Role. Multiple Privileges may be added to one Role. i.e. view/edit/delete Policies tagged with CustomerA.
Note that Admin Roles default to <All> Privilege Types on <All> Target Items, so the role will permit full system admin privileges to all entities on the system. Change these settings when delegating administration to control permitted access and actions with the same level of granularity that is applied to control user access to network resources.
Privileges can be configured to enable <All> or a particular Privilege Type to be applied to a type of Target (such as Appliances or Entitlements) or to a specific Target (such as a named Appliance or Entitlements tagged with <admin1-tag>).
To add a new Privilege to an Admin Role, select +Add to open the Privileges settings:
Privilege Type. Select the Type of action the administrator can perform, such as Delete or Export. The default Privilege is <All> for all possible actions, which can be applied to all Target Items.
Target Item. Select the feature on which the action can be applied, such as Condition or License. The list of Target Items in the drop down list will depend on which Privilege type has been selected. See the Privilege-Target Combinations table below. Target Items can be further restricted by adding optional Limit Scope of Privilege settings to the role.
Limit Scope of Privilege by Name. Restrict the Target further to features with the specified names.
Limit Scope of Privilege by Tag. Restrict the Target further to features with the specified tags. In the example above, an Admin Role is being created to allow an Administrator to Edit the Local database. In the example below, the Privilege will be restricted to Policies tagged “mobile”.
Default tags. These tags will be added by default when creating a new instance of the specified target. To change these requires Edit rights on the Target.
Privilege-Target Combinations
Privilege Type | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Target Item | All | Assign Function | Backup | Check Status | Create | Delete | Download Logs | Edit | Export | Get User Attributes | Reboot | Renew Certificate | Reevaluate | Revoke | Tag | Test | Upgrade | View |
Admin Role | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Admin Message | yes |
|
|
|
| yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
Allocated IP | yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| yes |
Appliance | yes | yes | yes | yes | yes | yes | yes | yes (excludes assign function) | yes |
| yes | yes |
|
| yes | yes (for appliance commands) | yes | yes |
Appliance Customization | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Audit Log | yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| yes |
Auto Update | yes |
|
|
|
|
|
| yes |
|
|
|
|
|
|
|
|
| yes |
Denylist | yes |
|
|
| yes | yes |
|
|
|
|
|
|
|
|
|
|
| yes |
CA Certificate | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
Client Profile | yes |
|
|
| yes | yes |
| yes | yes |
|
|
|
|
| yes |
|
| yes |
Condition | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes | yes |
| yes |
Criteria Script | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes | yes |
| yes |
Device Claims Script | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Discovered App | yes | yes | yes | |||||||||||||||
Entitlement | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Entitlement Script | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
FIDO2 Device | yes |
|
|
|
| yes |
|
|
|
|
|
|
|
|
|
|
| yes |
File | yes |
|
|
| yes | yes |
|
|
|
|
|
|
|
|
|
| yes | |
Global Setting | yes |
|
|
|
| yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
Identity Provider | yes |
|
|
| yes | yes |
| yes |
| yes |
|
|
|
| yes | yes |
| yes |
IP Pool | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
License | yes |
|
|
|
| yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
Local User | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
MFA Provider | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes | yes |
| yes |
OTP Seed | yes |
|
|
|
| yes |
|
|
|
|
|
|
|
|
|
|
| yes |
Policy | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Registered Device | yes |
|
|
|
| yes |
|
|
|
|
|
| yes | yes |
|
|
| yes |
Ringfence Rule | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Secret | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Service User | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Session Info | yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| yes |
Site | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Token Record (Deprecated) | yes |
|
|
|
|
|
|
|
|
|
|
| yes | yes |
|
|
| yes |
Trusted Certificate | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
User Claim Script | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
User License | yes |
|
|
|
| yes |
|
|
|
|
|
|
|
|
|
|
| yes |
ZTP | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
|
|
|
| yes |