04-03-2018 11:09 PM
Dear All,
We created a seprate vsys and assigned l3 interfaces and virtual router for a vsys. But vsys admin which is assigned for it is unable to view virutal router tabs and ipsec configuration tabs.
We want this vsys should be handled completely seprate, this vsys need not to share or depend on interface, shared gateway or other vsys object.
Only device admin has the access to virutal router and ipsec config not vsys admin.
Am i missing any configuration or this is how its configured.
with regards,
Ram
04-04-2018 12:48 AM
A vsys admin is considered a sub-admin so does not get access to system-level configuration which could impact the system
Device admins or superusers are allowed to make changes to device-level configuration
04-04-2018 04:39 AM
Hi @RamBalaji
Interfaces and routing are classified as system level configuration.
In the case of a hosted environment the device owner will want to retain control over system critical configuration so the customer does not cause accidental harm to others, by for example configuring a vwire in a switched environment and causing a loop, or altering interface tags, allowing them to inject themselves in a different network segment
04-04-2018 12:48 AM
A vsys admin is considered a sub-admin so does not get access to system-level configuration which could impact the system
Device admins or superusers are allowed to make changes to device-level configuration
04-04-2018 04:14 AM
Thanks for the response.
I have a doubt, if one customer owns ISP and don't want to share it and configure (routing & IPSEC vpn) by himself, which is not possible in this case. After the device admin/super admin configures interface for seperate vsys why its going to affect the system configuration.
Please share your view.
with regards,
Ram
04-04-2018 04:39 AM
Hi @RamBalaji
Interfaces and routing are classified as system level configuration.
In the case of a hosted environment the device owner will want to retain control over system critical configuration so the customer does not cause accidental harm to others, by for example configuring a vwire in a switched environment and causing a loop, or altering interface tags, allowing them to inject themselves in a different network segment
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
