Restrict the log data an administrator can view
If an administrator is allowed to view logs and alerts, you apply local filters to the log data before it is displayed to the administrator.
The filters that you create here are specific only to the Administrator element in question, unless you save them as permanent Filter elements.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Select Configuration, then browse to Administration.
- Expand the Access Rights branch and click Administrators.
- Right-click the Administrator and select Properties.
- Click the Permissions tab.
- Under Log Filters, click Select.
- Define the Local Filter's properties.
- Click OK.
Administrator Properties dialog box
Use this dialog box to change the properties of an Administrator element.
Option | Definition |
---|---|
General tab | |
Type | Specifies where the administrator
account is stored.
|
User | (When Type is Linked to LDAP) Specifies the user account on the integrated external directory server to which the administrator account is linked. Click Select to select an element. |
User Domain (Not editable) |
(When Type is Linked to LDAP) Shows the LDAP domain to which the user account on the integrated external directory server belongs. |
Group (Optional) |
(When Type is Linked to LDAP) Specifies the user group in the integrated external directory server to which the user account must belong for SMC access to be allowed. Click Select to select an element. |
Name | Specifies the user name that the administrator uses to log on to the Management Client. When Type is Linked to LDAP, this field is not editable. |
Comment (Optional) |
A comment for your own reference. |
Authentication |
Select the authentication method to use to authenticate administrator:
|
Password | (When Authentication is User Password) Specifies the password. |
Generate Password
(Optional) |
(When Authentication is User Password) Generates a random temporary password according to the settings in the password policy. Generated passwords are one-time passwords. The administrator is prompted to enter a new password at the first logon. |
Confirm Password | (When Authentication is User Password) Confirms the password. |
Require Administrator to Change Password at First Logon
(Optional) |
(When Authentication is User Password) When selected, the administrator must enter a new password at the first logon. |
Always Active
(Optional) |
(When Authentication is User Password) When selected, the user account is active immediately and is never automatically disabled. |
Expiration Date
(Optional) |
(When Authentication is User Password) Specifies the date when the user account is automatically disabled. |
Authentication Method | (When Authentication is RADIUS or TACACS+) Specifies the authentication method provided by an external authentication server. |
Client Identity Type |
(When Authentication is Client Certificate) Specifies the attribute in the certificate that is used to identify the administrator.
|
Fetch From Certificate (Optional) |
(When Authentication is Client Certificate) Gets the value of the selected attribute from a certificate that you import. Opens the Import Certificate dialog box. |
Identity Value |
(When Authentication is Client Certificate) Specifies the value of the selected attribute. |
Option | Definition |
---|---|
Permissions tab | |
Unrestricted Permissions (Superuser) | When selected, the administrator can manage all elements and perform all actions without any restrictions. |
SMC Appliance Superuser (SMC Appliance only) |
When selected, the administrator can log on to the SMC Appliance command line. Administrators with unrestricted permissions (superusers) are allowed to log on to the SMC Appliance command line only if there are no administrators with SMC Appliance Superuser permissions. |
Restricted Permissions | When selected, the administrator has a limited set of rights that apply only to the elements granted to the administrator. |
Role
(Restricted Permissions only) |
Shows the role or roles assigned to the selected administrator: Operator, Editor, Owner, or Viewer. Click the cell to select the role from the drop-down list. |
Granted Elements
(Restricted Permissions only) |
Shows the elements that an administrator has been given permission to edit and install when the selected administrator role would otherwise prevent them from doing so. Double-click the cell to open the Select Element dialog box. |
Domains
(Restricted Permissions only) |
If Domains have been configured, shows the Domains in which the rights granted by the administrator role and the selected elements apply. Click the cell to select the Domain from the drop-down list. You can leave the default Shared Domain selected in the Domains cell. All elements automatically belong to the predefined Shared Domain if Domain elements have not been configured. You can also select the ALL Domains Access Control List to grant permissions for all Domains that have been defined. |
Add Role
(Restricted Permissions only) |
Adds a row to the table. |
Remove Role
(Restricted Permissions only) |
Removes the selected role from the selected administrator. |
Allow Administrators to Log On to the Shared Domain (Multiple Domains only) |
When selected, allows the administrator to log on to the Shared Domain. Otherwise, the administrator is only allowed to log on to the specified Domains. |
Log Filters
(Restricted Permissions only) |
|
Filter | You can select filters that are applied before logs from the granted elements are shown to the administrator. Click Select to select a filter. |
Option | Definition |
---|---|
Color Filters tab | |
Log and Alert | Specifies the colors for logs and alerts displayed in the Logs view. |
Connections | Specifies the colors for currently open connections displayed in the Connections view. |
Block list | Specifies the colors for block list entries in the Block list view. |
SD-WAN SAs | Specifies the colors for Internet Exchange Keys (IKE) and IPsec protocols displayed in the SD-WAN SAs view. |
Users | Specifies the colors for different users in the Users view. |
Routing | Specifies the colors for routing entries displayed in the Routing Monitoring view. |
SSL VPNs | Specifies the colors for entries in the SSL VPN Monitoring view. |
Filter | Shows the color filters that are in use. |
Color | Specifies the color. To change the color, double-click the cell, then select the color from the palette. |
Comment | An optional comment for your own reference. |
Up | Moves the selected color filter up on the list. |
Down | Moves the selected color filter down on the list. |
Add | Adds color filter to the list. |
Remove | Removes a color filter from the list. |
Set to Default | Returns all changes to default settings. |
Option | Definition |
---|---|
Account Replication tab | |
Replicate Account on Selected engines | When selected, allows the replication of the administrator user account on the selected engines. |
Password | Specifies the password used when logging on to the engine. |
Confirm | Confirms the password. |
Generate password | Generates a random password according to the settings in the password policy. |
Allow executing root-level commands with the sudo tool | Allows the administrator to use sudo commands to execute root-level commands on the selected engines. |
Add | Adds Engines, Access Control Lists and Domains to the list. |
Remove | Removes Engines, Access Control Lists and Domains from the list. |
Local Filter Properties dialog box
Use this dialog box to change the properties of a local filter.
Option | Definition |
---|---|
Name | Specifies the name of the filter. |
Filters table |
|
Add | Select from the menu to add.
|
Remove | Removes the selected filter. |
Save | Opens the Filter Properties dialog box. |