Admin users are the administrators of a security device. There are five kinds of admin users.
Root admin: The root administrator has complete administrative privileges. There is only one root administrator per security device. The root administrator has the following privileges:
Manages the root system of the security device
Adds, removes, and manages all other administrators
Establishes and manages virtual systems, and assigns physical or logical interfaces to them
Creates, removes, and manages virtual routers (VRs)
Adds, removes, and manages security zones
Assigns interfaces to security zones
Performs asset recovery
Sets the device to FIPs mode
Resets the device to its default settings
Updates the firmware
Loads configuration files
Creates virtual systems and assigns a virtual system administrator for each one
Monitors any virtual system
Tracks statistics (a privilege that cannot be delegated to a virtual system administrator)
Root-level read/write admin: The read/write administrator has the same privileges as the root administrator, but cannot create, modify, or remove other admin users.
Root-level read-only admin: The read-only administrator has only viewing privileges using the WebUI, and can only issue the get and ping CLI commands. The read-only administrator has the following privileges:
Read-only privileges in the root system, using the following four commands: enter, exit, get, and ping
Read-only privileges in virtual systems
Vsys admin: Some security devices support virtual systems. Each virtual system (vsys) is a unique security domain, which can be managed by virtual system administrators with privileges that apply only to that vsys. Virtual system administrators independently manage virtual systems through the CLI or WebUI. On each vsys, the virtual system administrator has the following privileges:
Creates and edits users
Creates and edits services
Creates and edits access policies
Creates and edits addresses
Creates and edits VPNs
Creates the virtual system administrator login password
Creates and manages security zones
Vsys read-only admin: A virtual system read-only administrator has the same set of privileges as a read-only administrator, but only within a specific virtual system. A virtual system read-only administrator has viewing privileges for his particular vsys through the WebUI, and can only issue the enter, exit, get, and ping CLI commands within his vsys.
Although the profile for the root user of a security device must be stored in the local database, you can store virtual system (vsys) users and root-level admin users with read-write and read-only privileges either in the local database or on an external auth server.
If you store admin user accounts on an external auth server and you load the dictionary file on the auth server (see RADIUS Server), you can elect to query admin privileges defined on the server. Optionally, you can specify a privilege level to be applied globally to all admin users stored on that auth server. You can specify either read-write or read-only privileges. If you store admin users on an external auth server such as SecurID, LDAP, TACACS+, or RADIUS without the security device dictionary file, you cannot define their privilege attributes on the auth server. Therefore, you must assign a privilege level to the admin users on the security device.
Select the type of privileges to grant admin users authenticating from an external database:
Get privilege from RADIUS server: Select this option to query admin privileges defined on the RADIUS server.
External admin has read-only privilege: Select this option to grant read-only privileges to the admin users.
External admin has read-write privilege: Select this option to grant read-write privileges to the admin users.
Admin Auth Server: Select a server from the drop-down list to authenticate the admin users.
Click Apply to save your settings.
ScreenOS allows you to prioritize the authentication process between the local and remote authentication services.
Primary: The remote auth server has a higher priority to authenticate over the local database.
Fallback: If the primary authentication service fails, configure the device to authenticate to the secondary service (default) or bypass it. This action is defined differently for root-privileged and non-root privileged admins.
For example, select Permit Root to accept only remote root-privileged admins to be authenticated by the remote auth server. Then, non-root-privileged admins authenticated by remote auth servers are not accepted by the device.
Root: Accept root-privileged admins authenticated by the remote auth server.
In addition to the root admin, the security device supports the creation of up to 20 admin users, who can be either super admins (with read-write privileges) or sub-admins (with read-only privileges).
Note: An external admin logging in with root privileges can log in multiple times with root privileges provided the admin uses the same username and password. However, subsequent root-level admins logging into the device will have read-write privileges only and not root privileges. This prevents different multiple root users from logging at the same time.
The security device identifies users by username and password. Only the root admin can change or add admin users. Admin users can change their own passwords but not the root admin's password.
To create an admin, click New. The Administrator Configuration page appears. For more information about creating admins, see the Administrator Configuration page.
This table lists all the admins who can manage the security device. You can modify all admins—root and sub-admins—and you can remove all sub-admins. The table contains the following information:
Administrator Name: Identifies the name of the admin.
Privileges: Identifies which administration privileges the admin has.
Role: Identifies which administration role attribute the admin has. The role attribute can be Crypto, Security, Audit, or None.
SSH Password Auth: Indicates whether SSH password authentication is enabled.
Configure: Click Edit to modify the admin's password. Click SSH PKA to view or modify the admin's PKAs and create new ones. Click Remove to remove the admin (only a root admin can remove an admin user).
When the number of unsuccessful authentication attempts exceeds the threshold limit, the security device prevents the unauthorized user from accessing the device and locks the user account for a specified time. To unlock the user account:
Enter the login name of the locked user account in the Admin Name field.
Select Clear to unlock the account of the specified user. Select Clear All to unlock all locked user accounts.
For more information about modifying an administrator, see Administrator Configuration.
For more information about viewing and creating PKAs, see PKA List & Configuration.