Add administrator accounts

Administrator elements represent administrator accounts in the SMC. Administrators configure and monitor the SMC and the NGFW Engines.

An account with unrestricted permissions (superuser) is automatically created during installation to guarantee that a superuser account is available in the SMC. With this first account, you can create the necessary administrator accounts for daily management tasks. For the SMC Appliance, the account created during installation is also a user for the appliance.

The administrator accounts for the users of the optional Web Portal are defined with Web Portal User elements. All other administrator accounts are defined with Administrator elements.

There are several ways to authenticate administrator logons:

  • You can authenticate administrators using a password stored in the internal database of the SMC.
  • You can use a RADIUS or TACACS+ authentication method provided by an external authentication server.
  • You can authenticate administrators using simple password authentication against integrated external LDAP databases.
  • You can authenticate administrators using an X.509 certificate stored in the Windows certificate store or on a smart card, such as a Common Access Card (CAC).
    Note: Certificate-based authentication is not supported for Web Portal Users.
Note: We highly recommend that you define a unique administrator account for each administrator. Using shared accounts makes auditing difficult and can make it difficult to discover security breaches.

There are two general permission levels for the administrators:

  • Unrestricted permissions give the administrators the right to manage all elements without restriction, and the right to run scripts that require the administrators to authenticate themselves.

    Administrators with unrestricted permissions (superusers) can optionally also have SMC Appliance Superuser permissions that allow the administrators to log on to the SMC Appliance command line.

  • Restricted permissions allow you to define the administrator’s rights in detail using the Administrator Roles with individual elements and Access Control Lists.

If you change the permissions for existing administrator accounts, the administrators are notified that their permissions have changed the next time that they log on to the Management Client.

If you use administrative Domains, there are some more considerations:

  • You must create administrator accounts with unrestricted permissions in the Shared Domain.
  • You must select Domains for each administrator role.
  • Restricted accounts in the Shared Domain cannot access elements from any other Domains.
  • Restricted accounts in other Domains can be granted elements that belong to the Shared Domain. However, the granted elements must belong to a Domain that is allowed for the administrator role selected for the account. For example, an administrator account in another Domain has the operator role in the Shared Domain. The administrator can be granted a policy template from the Shared Domain. The administrator can view the full contents of the policy.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Administration.
  2. Right-click Access Rights and select New > Administrator.
  3. From the Type drop-down list, select where the administrator account is stored.
  4. If you selected Linked to LDAP, select the user and user group in the integrated external LDAP directory to which the administrator account is linked.
    1. Click Select next to the User field, then select a User element.
    2. (Optional) Click Select next to the Group field, then select the User Group to which the User element must belong for SMC access to be allowed.
  5. (When Local is selected) In the Name field, enter a unique name.
    The administrator uses this user name to log on to the Management Client. For administrator accounts that are linked to user accounts in an integrated external LDAP directory, the name is filled in automatically.
  6. To authenticate administrator logons using a user name and password on the Management Server, configure these options.
    1. From the Authentication drop-down list, select Local Username and Password.
    2. In the Password fields, enter and confirm the password, or click Generate Password to generate a temporary random password.
      Generated passwords are one-time passwords. The administrator is automatically prompted to enter a new password at the first logon.
      Note: If you replicate administrator accounts as local accounts on engines, you must define a separate password for the local engine accounts.
    3. (Optional, manually entered passwords) To require the administrator to enter a new password at the first logon, select Require Administrator to Change Password at First Logon.
  7. To authenticate administrator logons using RADIUS or TACACS+ authentication by an external authentication server, configure these options.
    1. From the Authentication drop-down list, select RADIUS or TACACS+.
    2. From the Authentication Method drop-down list, select an Authentication Method element, or click Select to select a different Authentication Method element.
  8. To authenticate administrator logons using simple password authentication against an integrated external LDAP database, select LDAP.
  9. To authenticate administrator logons using certificate-based authentication, configure these options.
    1. From the Authentication drop-down list, select Client Certificate.
    2. From the Client Identity Type drop-down list, select the certificate field that is used to identify the administrator.
    3. Specify the value of the certificate field in one of the following ways:
      • In the Identity Value field, enter the value of the certificate field.
      • Click Fetch From Certificate, then import the certificate to get the value from the certificate.
  10. On the Permissions tab, define the administrator permissions.
    CAUTION:
    Select only the minimum necessary permissions for each Administrator account.
  11. For administrator accounts with restricted permissions, define the rights and granted elements.
    1. Click Add Role.
      A new Administrator Role appears in the list.
    2. Click the Role cell and select the administrator role that defines the rights you want to set.
    3. Right-click the Granted Elements cell for the role and select Edit Granted Elements.
    4. Select the elements to which the rights granted by the administrator role apply.
      The Set to ALL action depends on the type of elements. For example, if you browse to Firewalls and click Set to ALL, the item All Firewalls is added. You can also select one or more predefined or user-created Access Control Lists. Simple elements includes all elements except elements that have a dedicated system Access Control List. For example, there are dedicated Access Control Lists for different types of NGFW Engines and their policies.
    5. (Optional) If Domain elements have been configured, click the Domains cell to select the Domains in which the rights granted by the administrator role and the selected elements apply.
    6. (Optional) If Domain elements have been configured, leave Allow Administrators to Log On to the Shared Domain selected to allow the administrator to log on to the Shared Domain. Otherwise, the administrator is only allowed to log on to the specified Domains.
  12. Click OK.

Administrator Properties dialog box

Use this dialog box to change the properties of an Administrator element.

Option Definition
General tab
Type Specifies where the administrator account is stored.
  • Local — The administrator account is stored locally on the Management Server.
  • Linked to LDAP — The administrator account is stored in an integrated external directory server.
User

(When Type is Linked to LDAP)

Specifies the user account on the integrated external directory server to which the administrator account is linked. Click Select to select an element.
User Domain

(Not editable)

(When Type is Linked to LDAP)

Shows the LDAP domain to which the user account on the integrated external directory server belongs.
Group

(Optional)

(When Type is Linked to LDAP)

Specifies the user group in the integrated external directory server to which the user account must belong for SMC access to be allowed. Click Select to select an element.
Name Specifies the user name that the administrator uses to log on to the Management Client. When Type is Linked to LDAP, this field is not editable.
Comment

(Optional)

A comment for your own reference.
Authentication

Specifies the type of authentication for administrator logons.

  • Local Username and Password — When selected, authentication is done by the Management Server using a user name and password.
  • RADIUS — When selected, RADIUS authentication is done by an external authentication server.
  • TACACS+ — When selected, TACACS+ authentication is done by an external authentication server.
  • LDAP — When selected, authentication is done using simple password authentication against integrated external LDAP databases. This option is only available when Linked to LDAP is selected.
  • Client Certificate — When selected, authentication is done by the Management Server using an X.509 certificate presented by the administrator.
Password

(When Authentication is Local Username and Password)

Specifies the password.
Generate Password

(Optional)

(When Authentication is Local Username and Password)

Generates a random temporary password according to the settings in the password policy. Generated passwords are one-time passwords. The administrator is prompted to enter a new password at the first logon.
Confirm Password

(When Authentication is Local Username and Password)

Confirms the password.
Require Administrator to Change Password at First Logon

(Optional)

(When Authentication is Local Username and Password)

When selected, the administrator must enter a new password at the first logon.
Always Active

(Optional)

(When Authentication is Local Username and Password)

When selected, the user account is active immediately and is never automatically disabled.
Expiration Date

(Optional)

(When Authentication is Local Username and Password)

Specifies the date when the user account is automatically disabled.
Authentication Method

(When Authentication is RADIUS or TACACS+)

Specifies the authentication method provided by an external authentication server.
Client Identity Type

(When Authentication is Client Certificate)

Specifies the attribute in the certificate that is used to identify the administrator.

  • Distinguished Name — The distinguished name (DN) attribute identifies the administrator.
  • Common Name — The common name (CN) attribute identifies the administrator.
  • User Principal Name — The user principal name (UPN) that is mapped to the certificate identifies the administrator.
  • Email — The email address identifies the administrator.
  • SHA-256 — The SHA-256 hash of the certificate identifies the administrator.
  • SHA-512 — The SHA-512 hash of the certificate identifies the administrator.
Fetch From Certificate

(Optional)

(When Authentication is Client Certificate)

Gets the value of the selected attribute from a certificate that you import.

Opens the Import Certificate dialog box.

Identity Value

(When Authentication is Client Certificate)

Specifies the value of the selected attribute.

Option Definition
Permissions tab
Unrestricted Permissions (Superuser) When selected, the administrator can manage all elements and perform all actions without any restrictions.
SMC Appliance Superuser

(SMC Appliance only)

When selected, the administrator can log on to the SMC Appliance command line.

Administrators with unrestricted permissions (superusers) are allowed to log on to the SMC Appliance command line only if there are no administrators with SMC Appliance Superuser permissions.

Restricted Permissions When selected, the administrator has a limited set of rights that apply only to the elements granted to the administrator.
Role

(Restricted Permissions only)

Shows the role or roles assigned to the selected administrator: Operator, Editor, Owner, or Viewer. Click the cell to select the role from the drop-down list.
Granted Elements

(Restricted Permissions only)

Shows the elements that an administrator has been given permission to edit and install when the selected administrator role would otherwise prevent them from doing so. Double-click the cell to open the Select Element dialog box.
Domains

(Restricted Permissions only)

If Domains have been configured, shows the Domains in which the rights granted by the administrator role and the selected elements apply. Click the cell to select the Domain from the drop-down list.

You can leave the default Shared Domain selected in the Domains cell. All elements automatically belong to the predefined Shared Domain if Domain elements have not been configured. You can also select the ALL Domains Access Control List to grant permissions for all Domains that have been defined.

Add Role

(Restricted Permissions only)

Adds a row to the table.
Remove Role

(Restricted Permissions only)

Removes the selected role from the selected administrator.
Allow Administrators to Log On to the Shared Domain

(Multiple Domains only)

When selected, allows the administrator to log on to the Shared Domain. Otherwise, the administrator is only allowed to log on to the specified Domains.
Log Filters

(Restricted Permissions only)

Filter You can select filters that are applied before logs from the granted elements are shown to the administrator. Click Select to select a filter.
Option Definition
Color Filters tab
Log and Alert Specifies the colors for logs and alerts displayed in the Logs view.
Connections Specifies the colors for currently open connections displayed in the Connections view.
Block list Specifies the colors for block list entries in the Block list view.
VPN SAs Specifies the colors for Internet Exchange Keys (IKE) and IPsec protocols displayed in the VPN SAs view.
Users Specifies the colors for different users in the Users view.
Routing Specifies the colors for routing entries displayed in the Routing Monitoring view.
SSL VPNs Specifies the colors for entries in the SSL VPN Monitoring view.
Filter Shows the color filters that are in use.
Color Specifies the color. To change the color, double-click the cell, then select the color from the palette.
Comment An optional comment for your own reference.
Up Moves the selected color filter up on the list.
Down Moves the selected color filter down on the list.
Add Adds color filter to the list.
Remove Removes a color filter from the list.
Set to Default Returns all changes to default settings.
Option Definition
Account Replication tab
Replicate Account on Selected engines When selected, allows the replication of the administrator user account on the selected engines.
Password Specifies the password used when logging on to the engine.
Confirm Confirms the password.
Generate password Generates a random password according to the settings in the password policy.
Allow executing root-level commands with the sudo tool Allows the administrator to use sudo commands to execute root-level commands on the selected engines.
Add Adds Engines, Access Control Lists and Domains to the list.
Remove Removes Engines, Access Control Lists and Domains from the list.