Access domains allow restricting access for administrator accounts to specific Vsys(on Firewall) and specific Device Group, Templates and Context Switch (on Panorama).
When you are managing a Vsys-enabled firewall from Panorama, you might want to create Panorama Administrators, allowing access to only particular Vsys on the Managed Firewall.
In that case, you must have the target Vsys bound to a unique Device Group. You cannot control per Vsys Administration for Panorama administrators if Multiple Vsys from the firewall are part of same Device Group.
Steps:
Create Specific Device Groups for Specific Vsys under:
Managed Multi-VSYS Firewall
Create Access Domain for Managing Vsys1 Device Group and corresponding context switch
Create Administrator for Administrator Type "Device Group and Template Admin" and bind the access domain created above:
Do a Panorama commit and log in using the Vsys1Admin user account
Verify that you are able to access only Device Group 1, and do context switch to Vsys1 of the firewall: