Check Before you start which includes links to system security best practices. When you're ready use <+Add> to set up a new Admin Role. You can use on of the presets or create your own role by choosing Empty.
Presets provide an easy way to access to pages such as the Dashboard, which work slightly differently from other single function pages as they can contain a number of Target Items. Unless the right privileges are configured, the admin will have only partial access to the information. In the case of the Dashboard the preset provides the following privileges:
<View> privileges on <AdminMessage>
<CheckStatus> privileges on <Appliance>
<View> privileges on <SessionInfo>
<View> privileges on <TokenRecord> (for user-sign-ins)
<View> privileges on <RegisteredDevice>
<View> privileges on <User License>
Add Admin Role
Name
May only be alphanumeric with space, underscore and dash.
Settings
Privileges
Privileges allow specific rights to be assigned to an Admin Role. Multiple Privileges may be added to one Role. i.e. view/edit/delete Policies tagged with CustomerA.
Note that Admin Roles default to <All> Privilege Types on <All> Target Items ie. the role will permit full system admin privileges to all entities on the system. Change these settings when delegating administration to control permitted access and actions with the same level of granularity that is applied to control user access to network resources.
Privileges can be configured to enable <All> or a particular Privilege Type to be applied to a type of Target (such as Appliances or ) or to a specific Target (such as a named Appliance or Entitlements tagged with <admin1-tag>).
To add a new Privilege to an Admin Role, select <+Add> to open the Privileges form:
Privilege Type
Select the Type of action the administrator can perform. i.e. Delete or Export. The default Privilege is <All> ie. all possible actions, which can be applied to (all) Target Items.
Target Item
Select the feature on which the action can be applied. i.e. Condition or License. Not all Privileges are relevant to all Target Items. The list of Target Items in the drop down list will depend on which Privilege type has been selected. See the Privilege-Target Combination section below. Target Items can be further restricted by adding optional Scope of Privilege to the Role.
Limit Scope of Privilege by Name
Restrict the Target further to features with these specific name(s).
Limit Scope of Privilege by Tag
Restrict the Target further to features with these specific tag(s). In the example above, an Admin Role is being created to allow an Administrator to Edit the Local database. In the example below, the Privilege will be restricted to Policies tagged 'Administrators'.
Default Tags
These tags will be added by default when creating a new instance of the specified target. To change these requires Edit rights on the Target.
Privilege Type | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Target Item | All | Assign Function | Backup | Check Status | Create | Delete | Download Logs | Edit | Export | Get User Attributes | Reboot | Renew Certificate | Reevaluate | Revoke | Tag | Test | Upgrade | View |
Admin Role | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Admin Message | yes |
|
|
|
| yes |
|
|
|
|
|
|
|
|
|
|
| yes |
Allocated IP | yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| yes |
Appliance | yes | yes | yes | yes | yes | yes | yes | yes (excludes assign function) | yes |
| yes | yes |
|
| yes | yes (for appliance commands) | yes | yes |
Appliance Customization | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Audit Log | yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| yes |
Auto Update | yes |
|
|
|
|
|
| yes |
|
|
|
|
|
|
|
|
| yes |
Blacklist | yes |
|
|
| yes | yes |
|
|
|
|
|
|
|
|
|
|
| yes |
CA Certificate | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
Client Profile | yes |
|
|
| yes | yes |
| yes | yes |
|
|
|
|
| yes |
|
| yes |
Condition | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes | yes |
| yes |
Criteria Script | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes | yes |
| yes |
Device Claims Script | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Entitlement | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Entitlement Script | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
FIDO2 Device | yes |
|
|
|
| yes |
|
|
|
|
|
|
|
|
|
|
| yes |
File | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
Global Setting | yes |
|
|
|
| yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
Identity Provider | yes |
|
|
| yes | yes |
| yes |
| yes |
|
|
|
| yes | yes |
| yes |
IP Pool | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
License | yes |
|
|
|
| yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
Local User | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
MFA Provider | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes | yes |
| yes |
OTP Seed | yes |
|
|
|
| yes |
|
|
|
|
|
|
|
|
|
|
| yes |
Policy | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Registered Device | yes |
|
|
|
| yes |
|
|
|
|
|
| yes | yes |
|
|
| yes |
Ringfence Rule | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Secret | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Service User | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Session Info | yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| yes |
Site | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
Token Record (Deprecated) | yes |
|
|
|
|
|
|
|
|
|
|
| yes | yes |
|
|
| yes |
Trusted Certificate | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
|
|
|
| yes |
User Claim Script | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
| yes |
|
| yes |
User License | yes |
|
|
|
| yes |
|
|
|
|
|
|
|
|
|
|
| yes |
ZTP | yes |
|
|
| yes | yes |
| yes |
|
|
|
|
|
|
|
|
| yes |