Under R80.xx one of the new features is the ability to delegate policy control to specific administrators - a feature we've had customers ask for in the past, so are excited to see available. But one of the issues I can't find an answer to is: how can we lock an administrator to specific objects? So far, all I can see is that a given administrator can either have read-only or read-write to ALL objects.
Given this, administrator 1 - who I have delegated to have access to only interior firewall policies - can still disrupt policies on exterior firewalls by editing or deleting objects used by the exterior firewall policies. Next time the policy is installed on the exterior firewall, the damage is done.
I cannot see any way in the product to only allow a subset of objects to be edited by a given administrator, and the only way I can think of achieving this would be to use tags on the objects and specify which tags the administrator can 'control'.
Am I missing something?