About Role-Based Administration
Role-based administration enables you to share the configuration and monitoring responsibilities for your organization among several individuals. One or more senior administrators might have full configuration privileges for all devices, while one or more junior administrators have less configuration and monitoring authority or different areas of jurisdiction.
For example, one administrator might have complete configuration and monitoring authority over all of the Fireboxes in an organization's Eastern region, but could only monitor the devices deployed in the company’s Central and Western regions. Another administrator could have full authority over the Central region, but could only monitor Western and Eastern region devices.
For your centrally managed devices, you can use WatchGuard System Manager (WSM) and WatchGuard Server Center to create and implement the different administrator roles for your organization. All the role-based administration settings you create are stored and managed on your Management Server, so they are accessible with WSM or WatchGuard Server Center. When you make a change to role-based administration with WSM, the change automatically appears in WatchGuard Server Center.
You can also use role-based administration for your individual Fireboxes. For a single device, the device management users you create are stored and managed on the Firebox. When you add device management user accounts to a device, those user accounts are only available on that device, and you must connect to that device to use or manage the user accounts.
Role-based administration is only available for managed Firebox or XTM devices with Fireware v11.0 or higher, and single Firebox or XTM devices with Fireware v11.9 or higher.
Roles and Role Policies
A role has two parts: a set of tasks and a set of devices on which these tasks can be performed. When you configure user accounts on your Management Server for your centrally managed devices, every administrator is assigned one or more roles, such as Super Administrator, Mobile User VPN Administrator, or User Authentication Administrator. For role-based administration on an individual Firebox, only two roles are available: Device Administrator and Device Monitor.
For centrally managed devices, you can use the predefined roles on your WatchGuard System Manager (WSM) Management Server for your own organization, or you can define custom roles. These roles are recognized by all the WSM tools and WatchGuard servers. For example, if you log in to WSM with read/write permissions, and open Firebox System Manager (FSM), you are not prompted for the configuration passphrase because FSM recognizes that you are logged in with sufficient permissions.
Role policies combine the sets of tasks and devices with the users who have the privileges to perform those roles.
To keep track of the actions performed by each administrator, WSM stores an audit trail of changes made to a device. These changes are recorded in the Management Server log messages. WSM also has an audit trail that shows all changes made to the entire system, the administrator who made each change, and when each change was made.
When you use role-based administration on your individual Firebox, you can also see which administrators made which changes to the device configuration. This information is available in the log messages from your Fireboxes and in the Firebox Audit Trail reports for your Fireboxes, which you can view in WatchGuard WebCenter or WatchGuard Dimension.