As part of an administrative profile, administrative roles define the operative permissions and restrictions of an administrative user to the different services of the Barracuda Firewall Control Center and the managed Barracuda CloudGen Firewalls. When configuring administrative roles, you can define which services the administrative user is allowed to access and which operations they are allowed or denied to perform on the services. You can then assign the role to an administrative profile (see How to Configure Administrative Profiles).
Roles Permissions and Restrictions
Administrative roles permissions and restrictions are defined as follows:
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| CC Configuration | Access to CC Config | Yes | Yes | Yes | Yes | Yes |
Kill Sessions | Yes | Yes | No | Yes | No |
| Change Permissions | Yes | No | No | Yes | No |
| Change Events | Yes | No | No | Yes | No |
| Show Admins | Yes | No | Yes | Yes | No |
| Manage Admins | No | No | No | No | Yes |
| Create/Remove Range | Yes | No | No | Yes | No |
| Create/Remove Cluster | Yes | No | No | Yes | No |
| Use RCS | Yes | No | Yes | Yes | No |
| Create/Remove Boxes | Yes | No | No | Yes | No |
| Create/Remove Servers | Yes | No | No | Yes | No |
| Create/Remove Service | Yes | No | No | Yes | No |
| Create/Remove Repository | Yes | No | No | Yes | No |
| Manage HA Sync | Yes | Yes | No | Yes | No |
| Create PAR File | Yes | No | No | Yes | No |
| Allow Config View on Box | Yes | Yes | Yes | Yes | No |
| Allow Emergency Override | Yes | No | No | Yes | No |
| Create/Remove Workspace | Yes | No | No | Yes | No |
| Change Workspaces | Yes | No | No | Yes | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| CC Control | Access to CC Control | Yes | Yes | Yes | Yes | Yes |
| Show Map | Yes | Yes | Yes | Yes | Yes |
| Show Config Updates | Yes | Yes | Yes | Yes | Yes |
| Manage Config Updates | Yes | Yes | No | Yes | Yes |
| Show Box REXEC | Yes | Yes | Yes | No | No |
| Manage Box REXEC | Yes | No | No | No | No |
| Show Box Firmware Updates | Yes | Yes | Yes | No | No |
| Manage Box Firmware Updates | Yes | Yes | No | No | No |
| Install uploaded Box Firmware Updates | Yes | Yes | No | No | No |
| Manage Box File Update | Yes | Yes | No | No | No |
| Show Box File Update | No | No | Yes | No | No |
| Manage Box Geo Position | Yes | Yes | No | Yes | No |
Manage Box Activation | Yes | No | No | Yes | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| CC Firewall Audit Info Viewer | Access to Firewall Audit Info Viewer | Yes | Yes | Yes | Yes | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Control | Access to Control | Yes | Yes | Yes | Yes | No |
| Start/Stop Server | Yes | Yes | No | No | No |
| Block Server | Yes | Yes | No | No | No |
| Start/Stop Service | Yes | Yes | No | No | No |
| Block Service | Yes | Yes | No | No | No |
| Delete Wild Route | Yes | Yes | No | No | No |
| Activate New Configuration | Yes | Yes | No | Yes | No |
| Restart Network Subsystem | Yes | Yes | No | No | No |
| Set or Sync Box Time | Yes | Yes | No | Yes | No |
| Firmware Restart | Yes | Yes | No | No | No |
| Reboot/Shutdown System | Yes | Yes | No | No | No |
| Activate Kernel Update | Yes | No | No | No | No |
| Kill Sessions | Yes | Yes | No | No | No |
| Import License | Yes | Yes | No | Yes | No |
| Remove License | Yes | Yes | No | Yes | No |
| View License Data | Yes | Yes | No | Yes | No |
| SCEP Operations | Yes | Yes | No | Yes | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Event | Access to Event | Yes | Yes | Yes | Yes | No |
| Silence Events | Yes | Yes | No | Yes | No |
| Stop Alarm | Yes | Yes | No | Yes | No |
| Mark as Read | Yes | Yes | No | Yes | No |
Confirm Events | Yes | Yes | No | Yes | No |
| Delete Events | Yes | No | No | Yes | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Log | Access to Log | Yes | Yes | Yes | Yes | No |
| Read Box Logfiles | Yes | Yes | Yes | Yes | No |
| Delete Box Logfiles | Yes | No | No | Yes | No |
| Read Service Logfiles | Yes | Yes | Yes | Yes | No |
Delete Service Logfiles | Yes | No | No | Yes | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Statistics | Access to Statistics | Yes | Yes | Yes | Yes | No |
| Read Box Statistics | Yes | Yes | Yes | Yes | No |
| Delete Box Statistics | Yes | No | No | Yes | No |
| Read Service Statistics | Yes | Yes | Yes | Yes | No |
Delete Service Statistics | Yes | No | No | Yes | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| DHCP | Access to DHCP | Yes | Yes | Yes | No | No |
Allow deletion of leases | Yes | Yes | No | No | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Access Control Service | Access to Access Control Service | Yes | Yes | Yes | No | No |
Allow deletion of access cache entries | Yes | No | No | No | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| CC Access Control Service | Access to CC Access Control Service | Yes | Yes | Yes | No | No |
Enable Commands | Yes | No | No | No | No |
Block Box Svnc | Yes | No | No | No | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Firewall | Access to Firewall | Yes | Yes | Yes | Yes | No |
| Terminate Connections | Yes | Yes | No | No | No |
| Modify Connections | Yes | Yes | No | No | No |
| Kill Handler Processes | Yes | Yes | No | No | No |
| Dynamic Rule Control | Yes | Yes | No | No | No |
| Toggle Trace | Yes | Yes | No | No | No |
| View Trace Output | Yes | Yes | No | No | No |
| Change Settings | Yes | Yes | No | No | No |
| View Ruleset | Yes | Yes | Yes | Yes | No |
| Manipulate Access Cache Entries | Yes | No | No | No | No |
| Access ATP and Quarantine Management | Yes | Yes | No | No | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| VPN | Access to VPN | Yes | Yes | Yes | Yes | No |
| Terminate VPN Tunnels | Yes | Yes | No | No | No |
| Disable/Enable VPN Tunnels | Yes | Yes | No | No | No |
View Configuration | Yes | Yes | Yes | Yes | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Mail Gateway service | Access to Mail Gateway service | Yes | Yes | Yes | No | No |
| Enable Commands | Yes | No | No | No | No |
| View Stripped Attachments | Yes | No | No | No | No |
| Retrieve Stripped Attachments | Yes | No | No | No | No |
| Delete Stripped Attachments | Yes | No | No | No | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Virus Scanner service | Access to Virus Scanner service | Yes | Yes | Yes | No | No |
| Allow Block Virus Pattern Update | Yes | Yes | No | No | No |
Allow Manual Virus Pattern Update | Yes | Yes | No | No | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| HTTP Proxy service | Access to HTTP Proxy service | Yes | Yes | Yes | No | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| Wi-Fi Access Point service | Access to Wi-Fi | Yes | Yes | Yes | No | No |
| Box Menu | Software Item | Manager | Operator | Observer | Editor | Administrators |
|---|
| REST API | Access to REST API | Yes | No | No | No | No |
| Internal API Access | Access to internal REST Api interface | Yes | No | No | No | No |
| External API Access | Access to external REST Api interface | Yes | No | No | No | No |
| Write Access | Access to REST Api interface | Yes | No | No | No | No |
Configure Administrative Roles
- Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > Administrative Roles.
- Click Lock.
- In the Roles section, click + to create a new role. You can also edit and modify an existing entry.
- Enter a Name for the role (only numbers are allowed) and click OK. The Roles configuration window opens.
To provide the administrative role with access to a service:
Select the Access to <service name> check box.
Click Set/ Edit to configure detailed permissions for the service and click OK.
It is recommended that you grant the Show Map permission in the CC Control Module section to every admin role. Admins that do not have this permission will get an error message immediately after they log into the Control Center.
- Click OK.
- Click Send Changes and Activate.
You can now assign the administrative role to an administrative user profile (see How to Configure Administrative Profiles).
Apply the Administrative Role to a Profile
- Click the ADMINS tab.
- Right-click the admin profile in the list and select Lock.
- Edit the profile.
- Select the administrative role from the Roles list. (If you just want to assign specific roles, clear the Allow All Operations check box.)
- Click OK.
- Click Activate.
The administrative user can now view and edit settings and services on the Barracuda Firewall Control Center according to their assigned roles.
