To
Set an Auth Server for Admin Users and Set PrivilegesAdmin users are the administrators of a security device. There are five kinds of admin users.
Root admin: The root administrator has complete administrative privileges. There is only one root administrator per security device. The root administrator has the following privileges:
Manages the root system of the security device
Adds, removes, and manages all other administrators
Establishes and manages virtual systems, and assigns physical or logical interfaces to them
Creates, removes, and manages virtual routers (VRs)
Adds, removes, and manages security zones
Assigns interfaces to security zones
Performs asset recovery
Sets the device to FIPs mode
Resets the device to its default settings
Updates the firmware
Loads configuration files
Creates virtual systems and assigns a virtual system administrator for each one
Monitors any virtual system
Tracks statistics (a privilege that cannot be delegated to a virtual system administrator)
Root-level read/write admin: The read/write administrator has the same privileges as the root administrator, but cannot create, modify, or remove other admin users.
Root-level read-only admin: The read-only administrator has only viewing privileges using the WebUI, and can only issue the get and ping CLI commands. The read-only administrator has the following privileges:
Read-only privileges in the root system, using the following four commands: enter, exit, get, and ping
Read-only privileges in virtual systems
Vsys admin: Some security devices support virtual systems. Each virtual system (vsys) is a unique security domain, which can be managed by virtual system administrators with privileges that apply only to that vsys. Virtual system administrators independently manage virtual systems through the CLI or WebUI. On each vsys, the virtual system administrator has the following privileges:
Creates and edits users
Creates and edits services
Creates and edits access policies
Creates and edits addresses
Creates and edits VPNs
Creates the virtual system administrator login password
Creates and manages security zones
Vsys read-only admin: A virtual system read-only administrator has the same set of privileges as a read-only administrator, but only within a specific virtual system. A virtual system read-only administrator has viewing privileges for his particular vsys through the WebUI, and can only issue the enter, exit, get, and ping CLI commands within his vsys.
Although the profile of the root user of a security device must be stored in the local database, you can store vsys users and root-level admin users with read-write and read-only privileges either in the local database or on an external auth-server.
If you store admin user accounts on an external auth server and you load the dictionary file on the auth server (see RADIUS Server), you can elect to query admin privileges defined on the server. Optionally, you can specify a privilege level to be applied globally to all admin users stored on that auth server. You can specify either read/write or read-only privileges. If you store admin users on an external auth server such as SecurID, LDAP, TACACS+, or a RADIUS server without the security device dictionary file, you cannot define their privilege attributes on the auth server. Therefore, you must assign a privilege level to them on the security device.
To
Set an Auth Server for Admin Users and Set PrivilegesSelect the type of privileges to grant admin users authenticating from an external database:
Get privilege from RADIUS server: Select this option to query admin privileges defined on the RADIUS server.
External admin has read-only privilege: Select this option to grant read-only privileges to the admin user.
External admin has read-write privilege: Select this option to grant read-write privileges to the admin users.
Admin Auth Server: Select a server from the drop-down list to authenticate admin users.
Click Apply to save the settings.
ScreenOS allows you to prioritize the authentication process between the local and remote authentication services.
Primary: The remote auth server has a higher priority to authenticate over the local database.
Fallback: If the primary authentication service fails, configure the device to authenticate to the secondary service (default) or bypass it. This action is defined differently for root-privileged and non-root privileged admins.
For example, select Permit Root to accept remote root-privileged admins only to be authenticated by the remote auth server. Then, non-root privileged admins authenticated by remote auth servers are not accepted by the device.
Root: Accept root-privileged admins authenticated by the remote auth server.
In addition to the root administrator, the security device supports the creation of up to 20 admin users, which can be either super administrators (with read-write privileges) or sub-administrators (with read-only privileges).
Note: An external admin logging in with root-privileges can log in multiple times with root privileges provided the same username and password is used. However, subsequent root-level admins logging into the device will have read-write privileges only and not root-privileges. This prevents different multiple root users logging into the device.
The security device identifies users by user name and password. Only the root administrator can change or add admin users. Admin users can change their own passwords, but not the root administrator's password.
To
Create a New AdministratorTo create an administrator, click New. The Administrators Configuration page appears. For more information on creating administrators, see the Administrator Configuration page.
This table lists all the administrators who can manage the security device. You can modify all administrators—root and sub-administrators—and you can remove all sub-administrators. The table contains the following information:
Administrator Name: Identifies the name of the administrator.
Privileges: Identifies which administration privileges the administrator is entitled to.
SSH Password Auth: Indicates whether SSH password authentication is enabled.
Configure: Click Edit to modify the administrator's password. Click SSH PKA to view or modify the administrator's PKAs and create new ones. Click Remove to remove the administrator (only a root administrator can remove an admin user).
For more information on modifying an administrator, see Administrator Configuration.
For more information on viewing and creating PKAs, see PKA List & Configuration.