Managing administrators from local and external directories
There are three ways to manage the authentication of administrators on the SMC server:
- Create local accounts on the SMC server,
- Configure a connection to a LDAP server from the SMC server,
- Configure a connection to a RADIUS server from the SMC server.
In the Maintenance > SMC Server > Administrators menu in the web administration interface, administrators who have local accounts on the SMC server or accounts from other Radius or LDAP authentication servers can be managed.
There are four administrator profiles: super administrator ("admin" user), general administrator, folder administrator, and read-only administrator.
The panel displayed depends on whether you are connected to the server as the super administrator (“admin” user) or as another administrator.
The three administrator profiles in write mode have the following privileges:
Super administrator |
General administrator |
Folder administrator | |
---|---|---|---|
Administrators | Add/Remove/Edit | Modify personal password | Modify personal password |
SNS firewall configuration |
|
|
Only in folders on which the administrator has write access:
|
SMC maintenance |
|
|
Generate a diagnostics report |
Manage API keys |
|
Create/revoke API keys if privileges are enabled | Create/revoke API keys in read-only if privileges are enabled |
For more information on folder administrators, refer to the section Restricting folder administrators' access privileges.
Read-only administrators can access all panels in the web administration interface, but cannot change anything other than their own passwords.
When the super administrator tries to connect, the SMC server looks for the ID and password from its local user database.
When a general administrator or folder administrator attempts to connect, the SMC server will first search for the ID and password on the Radius server if it has been configured, then on the LDAP server if it has been configured, then in its local database if it has been configured.
Several administrators can be connected at the same time to the web interface with read/write access and to the command line interface. As such, changes made by any administrator will instantly appear on the screens of the other administrators, including items imported via CSV file. Refer to audit logs for full details on what changes were made.
When an administrator deploys a configuration on firewalls, the other administrators see that a deployment is in progress and who launched it.
NOTE
The “root” user does not appear in the list of administrators, but holds access privileges to the server in SSH or via the console on a hypervisor. However, the super administrator cannot access the server in SSH or via a console.
To manage administrators as the super administrator, go to the Administrators menu:
- To add an administrator, click on Add an administrator.
- To edit an administrator profile, double click on the administrator line or move the mouse over the administrator name and select the pencil icon . An administrator's Read/WriteSMC privilege cannot be withdrawn if this administrator holds active API keys that also have the Read/Write privilege. For more information, please refer to the section Enabling and managing SMC's public API.
- To remove an administrator, move the mouse over the administrator name and select the red cross icon . Administrators that hold active API keys cannot be deleted. For more information, please refer to the section Enabling and managing SMC's public API.
The admin user cannot be removed.
NOTE
Only the super administrator is allowed to update the SMC server, back up and restore the SMC configuration and enable or disable automatic backups from the web administration interface.