This article provides information about the various Role attributes associated with administrative users.
The root admin can assign role attributes to non-root read/write and read only administrators. You cannot assign role attributes to root and vsys administrators. You can assign a role by creating an admin user in the following way:
Using CLI:
set admin user name_str password pswd_str [ privilege { read-write | read-only } ]
set admin user name_str role { audit | cryptographic | security }
Using WebUI:
Go to Configuration > Admin > Administrators, and then click New. Assign the attributes accordingly.
Notes:
-
You cannot assign two role attributes for the same admin user. However, you can change the role attribute for an admin user when the admin user is inactive.
-
You can assign roles to admin users in the local database.
-
For admin users authenticated by external RADIUS or TACACS+ authentication servers, the role attribute is assigned in the remote server.
-
The security device does not check the role attribute, when an administrator views the audit logs or executes self-tests.
Supported Attributes
The attributes are None, Audit, Crypto and Security. Note: In each of the following attributes, you can specify whether a user is 'read-only' or 'read-write', along with the attributes.
None:
Audit user:
-
An audit user cannot make any configuration changes in the device. In webUI, they can view the config; but not by using CLI.
-
However, in the CLI, they cannot use of most of the commands (not even ping).
-
The get commands which work are get event ?, get alarm ?, and get log ?. The only power an Audit user has is to view and clear the logs.
-
An Audit user cannot even change their password.
-
He can reset the device and also run Self-test on Demand (these can be done by all of the users).
Crypto user:
-
This user has almost the same limitations as Audit (no ping, cannot change own password, and so on). Additionally, a Crypto user cannot clear logs; although they can view them.
-
But a crypto user can configure the certificates on the device. Similar to an Audit user, they can reset the device and perform self-test.
Security user:
-
A security user can configure all settings on the firewall, except certificates. When a security user tries to configure certificates, the Role violation error is generated.
-
A security user can only view the logs; but cannot clear them.
-
A security user can change their password, create policies, routes, VPNs, and all other privileges except certificates.
Finally, audit and crypto user’s password can be changed only by a root user; but beware, in a few ScreenOS versions, root user privileges get reduced to that of read-write later, as soon as it is done. For more information, refer to KB22435 - [ScreenOS] Root admin privileges gets reduced to that of Read-write
So, to avoid any issues, use CLI to change the admin password or attributes.