Getting started with administrator accounts

An administrator account specifies the actions for which the administrator has permissions, such as creating elements and browsing logs.

You can define administrator rights for each administrator. You can give different permissions to each administrator globally, for specific administrative Domains, for specific groups of elements, and even for individual elements. Depending on the element, there are different levels of access that you can grant.

The Management Server contains information about all elements to make sure that administrator actions are limited by the rights defined in the administrator account. Administrators can edit an element only if they are allowed to edit all configurations where the element is used. The Management Server also prevents administrators from deleting elements that are still used in some other configuration, from editing the same Policy element simultaneously, and from making conflicting changes to the same element.

How administrator accounts can be configured

  • An unrestricted (superuser) administrator is created during the installation of an SMC Appliance.
  • You can configure administrators in the Management Client with these steps:
    1. Sets of administrator permissions are defined as reusable lists.
    2. Each list of permissions is applied to a specific group of elements.
    3. Define the administrator permissions.

      Several different pairs of permissions and elements can be applied to a single administrator account. These permissions can include, for example, viewing access to some elements and editing access to other elements. You can also create unrestricted accounts for “superusers” that have permissions for any action on any element. Some maintenance tasks require an unrestricted account.

Command-line administrator rights are available for engines and for the all-in-one SMC Appliance. To log on to the SMC Appliance command line, Administrators must have SMC Appliance Superuser administrator permissions. Administrators with unrestricted permissions (superusers) are allowed to log on to the SMC Appliance command line only if there are no administrators with SMC Appliance Superuser permissions. All administrator accounts with SMC Appliance Superuser permissions are automatically replicated to the SMC Appliance and can execute root-level commands using the sudo tool.

In the Management Client, administrator accounts can be configured to replicate to engines. If needed, administrator accounts can also be granted sudo permission to engines.