To
Set an Auth Server for Admin Users and Set PrivilegesAdmin users are the administrators of a NetScreen device. There are five kinds of admin users.
Root admin: The root administrator has complete administrative privileges. There is only one root administrator per NetScreen device. The root administrator has the following privileges:
Manages the root system of the NetScreen device
Adds, removes, and manages all other administrators
Establishes and manages virtual systems, and assigns physical or logical interfaces to them
Creates, removes, and manages virtual routers (VRs)
Adds, removes, and manages security zones
Assigns interfaces to security zones
Performs asset recovery
Sets the device to FIPs mode
Resets the device to its default settings
Updates the firmware
Loads configuration files
Creates virtual systems and assigns a virtual system administrator for each one
Monitors any virtual system
Tracks statistics (a privilege that cannot be delegated to a virtual system administrator)
Root-level read/write admin: The read/write administrator has the same privileges as the root administrator, but cannot create, modify, or remove other admin users.
Root-level read-only admin: The read-only administrator has only viewing privileges using the WebUI, and can only issue the get and ping CLI commands. The read-only administrator has the following privileges:
Read-only privileges in the root system, using the following four commands: enter, exit, get, and ping
Read-only privileges in virtual systems
Vsys admin: Some NetScreen devices support virtual systems. Each virtual system (vsys) is a unique security domain, which can be managed by virtual system administrators with privileges that apply only to that vsys. Virtual system administrators independently manage virtual systems through the CLI or WebUI. On each vsys, the virtual system administrator has the following privileges:
Creates and edits users
Creates and edits services
Creates and edits access policies
Creates and edits addresses
Creates and edits VPNs
Creates the virtual system administrator login password
Creates and manages security zones
Vsys read-only admin: A virtual system read-only administrator has the same set of privileges as a read-only administrator, but only within a specific virtual system. A virtual system read-only administrator has viewing privileges for his particular vsys through the WebUI, and can only issue the enter, exit, get, and ping CLI commands within his vsys.
Although the profile of the root user of a NetScreen device must be stored in the local database, you can store vsys users and root-level admin users with read-write and read-only privileges either in the local database or on an external auth-server.
If you store admin user accounts on an external RADIUS auth server and you load the NetScreen dictionary file on the auth server (see RADIUS Server), you can elect to query admin privileges defined on the server. Optionally, you can specify a privilege level to be applied globally to all admin users stored on that auth server. You can specify either read/write or read-only privileges. If you store admin users on an external SecurID or LDAP auth server, or on a RADIUS server without the NetScreen dictionary file, you cannot define their privilege attributes on the auth server. Therefore, you must assign a privilege level to them on the NetScreen device.
To
Set an Auth Server for Admin Users and Set PrivilegesSelect what type of privileges you want to grant the admin users:
Get privilege from RADIUS server: Select this option to query admin privileges defined on the RADIUS server.
External admin has read-only privilege: Select this option to grant read-only privileges to the admin user.
External admin has read-write privilege: Select this option to grant read-write privileges to the admin users.
Admin Auth Server: Select a server from the drop-down list to perform the authentication of admin users.
Click Apply to save the settings.
In addition to the root administrator, the NetScreen device supports the creation of up to 20 admin users, which can be either super administrators (with read-write privileges) or sub-administrators (with read-only privileges).
The NetScreen device identifies users by user name and password. Only the root administrator can change or add admin users. Admin users can change their own passwords, but not the root administrator's password.
To
Create a New AdministratorTo create an administrator, click New. The Administrators Configuration page appears. For more information on creating administrators, see the Administrator Configuration page.
This table lists all the administrators who can manage the NetScreen device. You can modify all administrators—root and sub-administrators—and you can remove all sub-administrators. The table contains the following information:
Administrator Name: Identifies the name of the administrator.
Privileges: Identifies which administration privileges the administrator is entitled to.
SSH Password Auth: Indicates whether SSH password authentication is enabled.
Configure: Click Edit to modify the administrator's password. Click SSH PKA to view or modify the administrator's PKAs and create new ones. Click Remove to remove the administrator (only a root administrator can remove an admin user).
For more information on modifying an administrator, see Administrator Configuration.
For more information on viewing and creating PKAs, see PKA List & Configuration.