Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What are the various Role attributes associated with admin users?

0

0

Article ID: KB23413 KB Last Updated: 05 Jan 2021Version: 3.0
Summary:

This article provides information about the various Role attributes associated with administrative users.

 

Symptoms:
  • Each Role attribute has a scope.

  • The security device keeps a check on the role of the admin user.

  • An admin user with role attribute cannot make configuration changes outside the scope of the Role attribute, as it will lead to a Role violation.

    • For example, a Cryptographic admin cannot access security data and a Security admin cannot access cryptographic data.

 

Solution:

The root admin can assign role attributes to non-root read/write and read only administrators. You cannot assign role attributes to root and vsys administrators. You can assign a role by creating an admin user in the following way:

Using CLI:

set admin user name_str password pswd_str [ privilege { read-write | read-only } ]
set admin user name_str role { audit | cryptographic | security }

Using WebUI:

Go to Configuration > Admin > Administrators, and then click New.   Assign the attributes accordingly.

Notes:

  • You cannot assign two role attributes for the same admin user. However, you can change the role attribute for an admin user when the admin user is inactive.

  • You can assign roles to admin users in the local database.

  • For admin users authenticated by external RADIUS or TACACS+ authentication servers, the role attribute is assigned in the remote server.

  • The security device does not check the role attribute, when an administrator views the audit logs or executes self-tests.

Supported Attributes

The attributes are None, Audit, Crypto and SecurityNote: In each of the following attributes, you can specify whether a user is 'read-only' or 'read-write', along with the attributes.

None:

  • When the role is none, the user has all the access as per the privileges of Read write or Read only user.

Audit user:

  • An audit user cannot make any configuration changes in the device. In webUI, they can view the config; but not by using CLI.

  • However, in the CLI, they cannot use of most of the commands (not even ping).

  • The get commands which work are get event ?, get alarm ?, and get log ?. The only power an Audit user has is to view and clear the logs.

  • An Audit user cannot even change their password.

  • He can reset the device and also run Self-test on Demand (these can be done by all of the users).

Crypto user:

  • This user has almost the same limitations as Audit (no ping, cannot change own password, and so on). Additionally, a Crypto user cannot clear logs; although they can view them.

  • But a crypto user can configure the certificates on the device. Similar to an Audit user, they can reset the device and perform self-test.

Security user:

  • A security user can configure all settings on the firewall, except certificates. When a security user tries to configure certificates, the Role violation error is generated.

  • A security user can only view the logs; but cannot clear them.

  • A security user can change their password, create policies, routes, VPNs, and all other privileges except certificates.

Finally, audit and crypto user’s password can be changed only by a root user; but beware, in a few ScreenOS versions, root user privileges get reduced to that of read-write later, as soon as it is done. For more information, refer to KB22435 - [ScreenOS] Root admin privileges gets reduced to that of Read-write

So, to avoid any issues, use CLI to change the admin password or attributes.

 

Modification History:
  • 2021-01-05: Article reviewed for accuracy; no changes required.

  • 2017-12-07: Article reviewed for accuracy. Edited categories so as to remove End of Life products. Article is correct and complete.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search