Administrators tab

This tab consists of a grid containing:

  • A taskbar: it shows the various possible operations that can be applied to an administrator.
  • The list of users and user groups identified as administrators and their privileges.

NOTE
The Administrators tab can only be accessed by the user connected with the admin account.

Possible operations

Some other operations can also be performed by right-clicking in the grid of administrators.

Adding an administrator Adds a new administrator on the firewall. Several choices are offered depending on the privileges to assign to the new administrator. The procedure is explained in the section Adding an administrator.
Delete Deletes the selected administrator.
Move up Places the selected administrator above the previous administrator in the list.
Move down Places the selected administrator below the following administrator in the list.
Copy privileges Copies the privileges of the selected administrator.
Paste privileges Pastes the copied privileges to the selected administrator.
Grant all privileges Assigns all privileges to the selected administrator.
Switch to advanced/simple view

Changes how privileges are displayed in the grid according to two views:

  • Simple view: default display containing several columns which represent the categories of privileges that an administrator may or may not have.

  • Advanced view: shows all available privileges.

Details of the privileges are provided in the section Possible privileges.

Adding an administrator

Several options are available when you click on Add:

Administrator without any privileges

This type of administrator has all the basic privileges such as access to the Dashboard and to the following modules:

  • Licenses,
  • Maintenance,
  • Active Update,
  • High availability (and its wizard),
  • CLI console,
  • Network,
  • Routing,
  • Dynamic DNS,
  • DHCP,
  • DNS proxy cache,
  • Objects,
  • URL categories (and their groups),
  • Certificates and PKI,
  • Authentication (and its wizard),
  • URL filtering,
  • SSL filtering,
  • SMTP filtering,
  • Applications and protections,
  • Inspection profile,
  • Antivirus,
  • Antispam,
  • Block messages,
  • Preferences.

The module Vulnerability management can only be accessed with write privileges.

Administrator with read-only access This type of administrator has the same basic access privileges as the administrator “without privileges” with the following additional privileges: reading of SNMP logs, E-mail alerts, System events as well as reading privileges for Filtering and VPN.
Administrator with all privileges

This type of administrator has access to all modules except those in which super-administrator access (admin account) is required.

NOTE
There can only be one super-administrator with the following characteristics:
  • The only administrator authorized to log in via the local console on Stormshield Network appliances, and only during the installation of the firewall or for maintenance operations outside of normal production use.
  • In charge of defining the profiles of other administrators,
  • Full access to the premises on which the firewall appliances are stored, and all operations are performed under this administrator's supervision,
Administrator for temporary accounts This type of administrator can only manage temporary accounts defined on the firewall (creating, modifying and deleting).
Administrator with access to private data This type of administrator can access all logs by clicking on Restricted access to logs in order to enable the Full access to logs (private data) privilege without having to enter an access code to view private data.
Administrator without access to private data

For the purpose of compliance with the European GDPR (General Data Protection Regulation), it is now possible to define an administrator with read and write privileges on the firewall but who cannot view private data stored in logs.

Nonetheless, the administrator in question can still request and obtain access privileges to such data by entering an authorization code given by his supervisor. This code is valid for a limited period defined at the moment of its creation. To enable Full access to logs (private data), the administrator must click on the link Restricted access to logs, then enter the code.

Once the administrator's task is complete, this privilege can be released.

Next, define the user or user group to add as an administrator.

User - Group found in the LDAP directory

Makes it possible to add as an administrator a user or user group found in the firewall's LDAP directory. Select from the drop-down list the user or user group in question.

User - Group originating from another domain (directory)

Makes it possible to add as an administrator a user or user group coming from another domain. For this option, enter the following information:

  • User - Group: choose whether you wish to add a User or a Group.

  • User - Group name: type the name of the user or group in question.

  • Domain name: type the domain name in question.

Once added, the administrator will appear in the grid in the User-user group column.

Possible privileges

Privileges are displayed in the grid by two views:

  • Simple view: default display containing several columns which represent the categories of privileges that an administrator may or may not have. Scroll over the title of a column to find out the exact privileges it holds.
  • Advanced view: shows all available privileges.

Use the Switch to advanced/simple view button to change the display.

The icons in the table mean:

  •  : All privileges have been assigned.
  •  : All privileges have not been assigned.
  •  : Some of the privileges have been assigned.

Double-clicking on the represented icons changes the status of privileges (from “assigned” to “not assigned” for example). Double-clicking on the icon withdraws the assigned privileges.

NOTE
Any changes made to an administrator's permissions will only be applied the next time this administrator logs on. If you wish to apply a modification immediately, you will need to force the disconnection of the administrator in question (for example using the CLI command: monitor flush user).

Privileges in simple view

Name Description Privileges assigned
System Permission to perform maintenance operations (backups, restorations, updates, firewall shutdown and reboot, antivirus update, modification of antivirus update frequency and RAID-related operations)
Permission to modify Object database 
base, console, contentfilter, globalobject, maintenance, modify, object
Network Permission to modify filter policy configuration and routing configuration (default route, static routes and trusted networks) base, modify, network, route
Users Permission to modify users and PKI base, modify, pki, user
Firewall Permission to modify VPN configuration, intrusion prevention (IPS) configuration and vulnerability management modify, base, filter, vpn, asq, pvm, vpn, read, filter_read, globalfilter
Monitoring Permission to modify logs and the configuration modify, mon_write, base, log, log_read, report, report_read, privacy, privacy_read
Temporary accounts Permission to manage temporary accounts for the "Temporary accounts" authentication policy base, guest_admin

Privileges in advanced view

Name Description Privileges assigned
Logs (R) Reading logs base, log_read
Filter (R) Filter policy consultation base, filter_read
VPN (R) VPN configuration consultation base, vpn_read
Access to private data (L) Permission to view logs containing private data base, privacy_read
Logs (W) Permission to modify log configuration modify, base, log
Filter (W) Permission to modify filter policy configuration modify, base, filter
VPN (W) Permission to modify VPN configuration modify, base, vpn
Management of access to private data Permission to create tickets for ad hoc requests for access to private data in logs. base, privacy
PKI Permission to modify PKI base, modify, pki
Monitoring Permission to view advanced Monitoring base, modify, mon_write
Content filtering Permission for URL filtering, Mail, SSL and antivirus management base, modify, contentfilter
Objects Permission to modify the object database  base, modify, object
Users Permission to modify users base, modify, user

Network

Permission to modify network configuration (interfaces, bridges, dialups, VLANs and dynamic DNS configuration) base, modify, network
Routing Permission to modify routing (default route, static routes and trusted networks) base, modify, route
Maintenance Permission to perform maintenance operations (backups, restorations, updates, firewall shutdown and reboot, antivirus update, modification of antivirus update frequency, high availability configuration and RAID-related operations). base, modify, maintenance
Temporary accounts Permission to manage temporary accounts (Users > Temporary accounts module) base, guest_admin
Intrusion prevention Permission to modify Intrusion prevention (IPS) configuration base, modify, asq
Vulnerability management Permission to modify vulnerability management configuration (Stormshield Network Vulnerability Manager) base, modify, pvm 
Objects (global) Permission to access global objects base, modify, globalobject
Filter (global) Permission to access the global filter policy base, modify, globalfilter
Activity Reports (W) Permission to modify Stormshield Network Activity Reports base, report_read
Activity Reports (R) Permission to access Stormshield Network Activity Reports base, report_read
Access to TPM When the firewall is equipped with a TPM (Trusted Platform Module), this permission makes it possible to initialize the TPM and perform operations on data protected by the TPM (private keys in firewall certificates). base, modify, tpm
Console (SSH) Permission to open a remote SSH connection on the firewall. base, modify, console

The base privilege is assigned to all users systematically. With this privilege, the administrator can read the whole configuration except filtering, VPN, logs and content filtering.

The modify privilege is assigned to users who have write privileges.

The user logged in as admin will obtain the admin privilege. This is the only privilege that lets the administrator add or remove administration privileges for other users.