Administrators List and External Database Admin Settings

Admin Privileges

Admin users are the administrators of a security device. There are five kinds of admin users.

Although the profile for the root user of a security device must be stored in the local database, you can store virtual system (vsys) users and root-level admin users with read-write and read-only privileges either in the local database or on an external auth server.

If you store admin user accounts on an external auth server and you load the dictionary file on the auth server (see RADIUS Server), you can elect to query admin privileges defined on the server. Optionally, you can specify a privilege level to be applied globally to all admin users stored on that auth server. You can specify either read-write or read-only privileges. If you store admin users on an external auth server such as SecurID, LDAP, TACACS+, or RADIUS without the security device dictionary file, you cannot define their privilege attributes on the auth server. Therefore, you must assign a privilege level to the admin users on the security device.

To Set Privileges for an Admin User

  1. Select the type of privileges to grant admin users authenticating from an external database:

Get privilege from RADIUS server: Select this option to query admin privileges defined on the RADIUS server.

External admin has read-only privilege: Select this option to grant read-only privileges to the admin users.

External admin has read-write privilege: Select this option to grant read-write privileges to the admin users.

Admin Auth Server: Select a server from the drop-down list to authenticate the admin users.

  1. Click Apply to save your settings.

Remote Server Settings

ScreenOS allows you to prioritize the authentication process between the local and remote authentication services.

Primary: The remote auth server has a higher priority to authenticate over the local database.

Fallback: If the primary authentication service fails, configure the device to authenticate to the secondary service (default) or bypass it. This action is defined differently for root-privileged and non-root privileged admins.

For example, select Permit Root to accept only remote root-privileged admins to be authenticated by the remote auth server. Then, non-root-privileged admins authenticated by remote auth servers are not accepted by the device.

Root: Accept root-privileged admins authenticated by the remote auth server.  

Creating Administrators

In addition to the root admin, the security device supports the creation of up to 20 admin users, who can be either super admins (with read-write privileges) or sub-admins (with read-only privileges).

Note: An external admin logging in with root privileges can log in multiple times with root privileges provided the admin uses the same username and password. However, subsequent root-level admins logging into the device will have read-write privileges only and not root privileges. This prevents different multiple root users from logging at the same time.

The security device identifies users by username and password. Only the root admin can change or add admin users. Admin users can change their own passwords but not the root admin's password.

To Create a New Administrator

To create an admin, click New. The Administrator Configuration page appears. For more information about creating admins, see the Administrator Configuration page.

Local Administrator Database

This table lists all the admins who can manage the security device. You can modify all admins—root and sub-admins—and you can remove all sub-admins. The table contains the following information:

Administrator Name: Identifies the name of the admin.

Privileges: Identifies which administration privileges the admin has.

Role: Identifies which administration role attribute the admin has. The role attribute can be Crypto, Security, Audit, or None.

SSH Password Auth: Indicates whether SSH password authentication is enabled.

Configure: Click Edit to modify the admin's password. Click SSH PKA to view or modify the admin's PKAs and create new ones. Click Remove to remove the admin (only a root admin can remove an admin user).

Clear Administrator Lock

When the number of unsuccessful authentication attempts exceeds the threshold limit, the security device prevents the unauthorized user from accessing the device and locks the user account for a specified time. To unlock the user account:

  1. Enter the login name of the locked user account in the Admin Name field.

  2. Select Clear to unlock the account of the specified user. Select Clear All to unlock all locked user accounts.

For more information about modifying an administrator, see Administrator Configuration.

For more information about viewing and creating PKAs, see PKA List & Configuration.