This article provides information about the various Role attributes associated with administrative users.

 

• Each Role attribute has a scope.

• The security device keeps a check on the role of the admin user.

• An admin user with role attribute cannot make configuration changes outside the scope of the Role attribute, as it will lead to a Role violation.

  • For example, a Cryptographic admin cannot access security data and a Security admin cannot access cryptographic data.

 

The root admin can assign role attributes to non-root read/write and read only administrators. You cannot assign role attributes to root and vsys administrators. You can assign a role by creating an admin user in the following way:

Using CLI:

set admin user name_str password pswd_str [ privilege { read-write | read-only } ]
set admin user name_str role { audit | cryptographic | security }

Using WebUI:

Go to Configuration > Admin > Administrators, and then click New.   Assign the attributes accordingly.

Notes:

• You cannot assign two role attributes for the same admin user. However, you can change the role attribute for an admin user when the admin user is inactive.

• You can assign roles to admin users in the local database.

• For admin users authenticated by external RADIUS or TACACS+ authentication servers, the role attribute is assigned in the remote server.

• The security device does not check the role attribute, when an administrator views the audit logs or executes self-tests.

Supported Attributes

The attributes are None, Audit, Crypto and Security.  Note: In each of the following attributes, you can specify whether a user is 'read-only' or 'read-write', along with the attributes.

None:

• When the role is none, the user has all the access as per the privileges of Read write or Read only user.

Audit user:

• An audit user cannot make any configuration changes in the device. In webUI, they can view the config; but not by using CLI.

• However, in the CLI, they cannot use of most of the commands (not even ping).

• The get commands which work are get event ?, get alarm ?, and get log ?. The only power an Audit user has is to view and clear the logs.

• An Audit user cannot even change their password.

• He can reset the device and also run Self-test on Demand (these can be done by all of the users).

Crypto user:

• This user has almost the same limitations as Audit (no ping, cannot change own password, and so on). Additionally, a Crypto user cannot clear logs; although they can view them.

• But a crypto user can configure the certificates on the device. Similar to an Audit user, they can reset the device and perform self-test.

Security user:

• A security user can configure all settings on the firewall, except certificates. When a security user tries to configure certificates, the Role violation error is generated.

• A security user can only view the logs; but cannot clear them.

• A security user can change their password, create policies, routes, VPNs, and all other privileges except certificates.

Finally, audit and crypto user’s password can be changed only by a root user; but beware, in a few ScreenOS versions, root user privileges get reduced to that of read-write later, as soon as it is done. For more information, refer to KB22435 - [ScreenOS] Root admin privileges gets reduced to that of Read-write

So, to avoid any issues, use CLI to change the admin password or attributes.

 

• 2021-01-05: Article reviewed for accuracy; no changes required.

• 2017-12-07: Article reviewed for accuracy. Edited categories so as to remove End of Life products. Article is correct and complete.