Replicate administrator accounts on engines

You can replicate SMC administrator accounts as local administrator accounts on selected engines. This enables several administrators to access an engine locally with the security privileges of the root user.

Before you begin

Before replication, each administrator must have an existing SMC administrator account. However, they must not have existing accounts on the engine.

Several administrators might need to access a single engine for troubleshooting or for configuring features that are not yet available through the Management Client. It is a good security practice to create each of them a separate account with a personal password and permissions. This practice enables more granular and accurate auditing as well.

The root administrator can limit and configure the engine administrators' permissions individually in the local engine sudo security policy. When an administrator is allowed to use sudo commands to execute root-level commands on the engine, by default all commands are allowed on the engine. You can limit the commands allowed for an administrator by editing the configuration for the sudo package. Engine configuration files for sudo are in the /data/config/sudoers.d/ directory on the engine.

Note: Administrator Permissions and Roles or other configurations done in the Management Client are not replicated on the engine.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Administration.
  2. Expand the Access Rights branch and click Administrators.
  3. Right-click the Administrator and select Properties.
  4. Click the Account Replication tab.
  5. Select Replicate Account on Selected Engines.
  6. (Optional) To allow the use of sudo commands to execute root-level commands, select Allow executing root-level commands with the sudo tool.
  7. In the Password field, enter the password and confirm it in the Confirm field. You can also click Generate Password to generate a random 7-digit alphanumeric password.
  8. To select the NGFW Engines elements where the accounts are replicated to, click Add.
  9. Select Access Control Lists, Domains, or NGFW Engines and then select the element by clicking Select.
  10. Click OK.

Result

The administrator account is replicated on the engines if the engines are online and have a connection to the Management Server.

Administrator Properties dialog box

Use this dialog box to change the properties of an Administrator element.

Option Definition
General tab
Type Specifies where the administrator account is stored.
  • Local — The administrator account is stored locally on the Management Server.
  • Linked to LDAP — The administrator account is stored in an integrated external directory server.
User

(When Linked to LDAP is selected)

Specifies the user account on the integrated external directory server to which the administrator account is linked. Click Select to select an element.
User Domain

(When Linked to LDAP is selected. Not editable.)

Shows the LDAP domain to which the user account on the integrated external directory server belongs.
Group

(When Linked to LDAP is selected. Optional.)

Specifies the user group in the integrated external directory server to which the user account must belong for SMC access to be allowed. Click Select to select an element.
Name Specifies the user name that the administrator uses to log on to the Management Client. When Linked to LDAP is selected, this field is not editable.
Comment

(Optional)

A comment for your own reference.
Authentication

Specifies the type of authentication for administrator logons.

  • Local Username and Password — When selected, authentication is done by the Management Server using a user name and password.
  • RADIUS — When selected, RADIUS authentication is done by an external authentication server.
  • TACACS+ — When selected, TACACS+ authentication is done by an external authentication server.
  • LDAP — When selected, authentication is done using simple password authentication against integrated external LDAP databases. This option is only available when Linked to LDAP is selected.
  • Client Certificate — When selected, authentication is done by the Management Server using an X.509 certificate presented by the administrator.
Password

(When Local Username and Password is selected)

Specifies the password.
Generate Password

(Optional, when Local Username and Password is selected)

Generates a random temporary password according to the settings in the password policy. Generated passwords are one-time passwords. The administrator is prompted to enter a new password at the first logon.
Confirm Password

(When Local Username and Password is selected)

Confirms the password.
Require Administrator to Change Password at First Logon

(Optional, when Local Username and Password is selected)

When selected, the administrator must enter a new password at the first logon.
Always Active

(Optional, when Local Username and Password is selected)

When selected, the user account is active immediately and is never automatically disabled.
Expiration Date

(Optional, when Local Username and Password is selected)

Specifies the date when the user account is automatically disabled.
Authentication Method

(When RADIUS or TACACS+ is selected)

Specifies the authentication method provided by an external authentication server.
Client Identity Type

(When Client Certificate is selected)

Specifies the attribute in the certificate that is used to identify the administrator.

  • Distinguished Name — The distinguished name (DN) attribute identifies the administrator.
  • Common Name — The common name (CN) attribute identifies the administrator.
  • User Principal Name — The user principal name (UPN) that is mapped to the certificate identifies the administrator.
  • Email — The email address identifies the administrator.
  • SHA-256 — The SHA-256 hash of the certificate identifies the administrator.
  • SHA-512 — The SHA-512 hash of the certificate identifies the administrator.
Fetch From Certificate

(Optional, when Client Certificate is selected)

Gets the value of the selected attribute from a certificate that you import.

Opens the Import Certificate dialog box.

Identity Value

(When Client Certificate is selected)

Specifies the value of the selected attribute.

Option Definition
Permissions tab
Unrestricted Permissions (Superuser) When selected, the administrator can manage all elements and perform all actions without any restrictions.
SMC Appliance Superuser

(SMC Appliance only)

When selected, the administrator can log on to the SMC Appliance command line.

Administrators with unrestricted permissions (superusers) are allowed to log on to the SMC Appliance command line only if there are no administrators with SMC Appliance Superuser permissions.

Restricted Permissions When selected, the administrator has a limited set of rights that apply only to the elements granted to the administrator.
Role

(Restricted Permissions only)

Shows the role or roles assigned to the selected administrator: Operator, Editor, Owner, or Viewer. Click the cell to select the role from the drop-down list.
Granted Elements

(Restricted Permissions only)

Shows the elements that an administrator has been given permission to edit and install when the selected administrator role would otherwise prevent them from doing so. Double-click the cell to open the Select Element dialog box.
Domains

(Restricted Permissions only)

If Domains have been configured, shows the Domains in which the rights granted by the administrator role and the selected elements apply. Click the cell to select the Domain from the drop-down list.

You can leave the default Shared Domain selected in the Domains cell. All elements automatically belong to the predefined Shared Domain if Domain elements have not been configured. You can also select the ALL Domains Access Control List to grant permissions for all Domains that have been defined.

Add Role

(Restricted Permissions only)

Adds a row to the table.
Remove Role

(Restricted Permissions only)

Removes the selected role from the selected administrator.
Allow Administrators to Log On to the Shared Domain

(Multiple Domains only)

When selected, allows the administrator to log on to the Shared Domain. Otherwise, the administrator is only allowed to log on to the specified Domains.
>Log Filters

(Restricted Permissions only)

Filter You can select filters that are applied before logs from the granted elements are shown to the administrator.
Select Opens the Local Filter Properties dialog box. Shows the selected Log Filters.
Option Definition
Color Filters tab
Log and Alert Specifies the colors for logs and alerts displayed in the Logs view.
Connections Specifies the colors for currently open connections displayed in the Connections view.
Blacklist Specifies the colors for blacklist entries in the Blacklist view.
VPN SAs Specifies the colors for Internet Exchange Keys (IKE) and IPsec protocols displayed in the VPN SAs view.
Users Specifies the colors for different users in the Users view.
Routing Specifies the colors for routing entries displayed in the Routing Monitoring view.
SSL VPNs Specifies the colors for entries in the SSL VPN Monitoring view.
Filter Shows the color filters that are in use.
Color Specifies the color. To change the color, double-click the cell, then select the color from the palette.
Comment An optional comment for your own reference.
Up Moves the selected color filter up on the list.
Down Moves the selected color filter down on the list.
Add Adds color filter to the list.
Remove Removes a color filter from the list.
Set to Default Returns all changes to default settings.
Option Definition
Account Replication tab
Replicate Account on Selected engines When selected, allows the replication of the administrator user account on the selected engines.
Password Specifies the password used when logging on to the engine.
Confirm Confirms the password.
Generate password Generates a random password according to the settings in the password policy.
Allow executing root-level commands with the sudo tool Allows the administrator to use sudo commands to execute root-level commands on the selected engines.
Add Adds Engines, Access Control Lists and Domains to the list.
Remove Removes Engines, Access Control Lists and Domains from the list.