Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I configure additional Administrator User profiles in SonicOS Enhanced?

10/14/2021 1,265 People found this article helpful 214,172 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    SonicOS Enhanced release 4.0 introduced support for multiple concurrent administrators. This feature allows for multiple users to log-in with full administrator privileges. In addition to using the default admin user name, additional administrator username can be created.

    Because of the potential for conflicts caused by multiple administrators making configuration changes at the same time, only one administrator is allowed to make configuration changes. The additional administrators are given full access to the GUI, but they cannot make configuration changes.

    NOTE: Administrators with full configuration privilege can also log in using the Command Line Interface (CLI).

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.



    1. Click on Device.
    2. Navigate to Users | local Users & Groups page, click Local Users tab.
    3. Click Add User.
    4. Enter a Name and Password for the user. 
    5. Click on the Groups tab.
      Image

    6. Select the appropriate group to give the user Administrator privileges.

      Limited Administrators -
      The user has limited administrator configuration privileges. 
      SonicWall Administrators -
      The user has full administrator configuration privileges. 
      SonicWall Read-Only Admins -
      The user can view the entire management interface, but cannot make any changes to the configuration.

    7. Click the right arrow button and click Save.
    8. To configure the multiple administrator feature such that administrators are logged out when they are preempted, navigate to Device| Settings | Administration | Login/Multiple Administrator tab.
    9. Select the Log out radio button for the On preemption by another administrator option and click Accept.

      Image


    Additional Administrative Roles

    The additional roles can be enabled by setting the ‘Multiple Administrative Roles’ under Device | Settings | Administration | Login/Multiple Administrator page.

               Image


    1. System Administrator (System): This role gives access to certain sections of the firewall that can help check the health of the firewall.

      Image

    2. Cryptographic Administrator (Crypto): This role gives access to the VPN sections of the firewall alone.

      Image

    3. Audit Administrator (Audit): This role gives access to the sections that could be necessary for auditing purposes.

      Image

    Image NOTE: When a user is a part of SonicWall Administrators and any one of the extra management roles like System Administrators, Cryptographic (Crypto) Administrators, or Audit Administrators, the full administration rights take precedence, and the user will be logged into SonicWall with full admin rights.


    Preempting Administrators

    When an administrator attempts to log in while another administrator is logged in, the following message is displayed. The message displays the current administrator’s user name, IP address, phone number (if it can be retrieved from LDAP), and whether the administrator is logged in using the GUI or CLI.

               Image

    This window gives you three options:

    • Continue - Preempts the current administrator. The current administrator is dropped to non-config mode and you are given full administrator access. 
    • Non-config - You are logged into the appliance in non-config mode. The current administrator’s session is not disturbed. 
    • Do NOT Begin Management- Returns to the authentication screen.


    Activating Configuration Mode 

    When logging in as a user with administrator rights (that is not the admin user), the User Login Status Popup window is displayed.

                Image


    Disabling the User Login Status Popup 

    You can disable the User Login Status Popup window if you prefer to allow certain users to log in solely for the purpose of managing the appliance, rather than for privileged access through the appliance. To disable the Popup window, select the Members go straight to the management UI on web login checkbox when adding or editing the local group.

    If you want some user accounts to be administrative only, while other users need to log in for privileged access through the appliance, but also with the ability to administer it (that is, some go straight to the management interface on login, while others get the User Login Status Popup window with a Manage button), this can be achieved as follows:

    1. Create a local group with the Members go straight to the management UI on web login checkbox selected.
    2. Add the group to the relevant administrative group, but do not select this checkbox in the administrative group.
    3. Add those user accounts that are to be administrative-only to the new user group. The User Login Status Popup window is disabled for these users.

                 Image

    Add the user accounts that are to have privileged and administrative access directly to the top-level administrative group.



    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.



    1. Login to your SonicWall management page and click Manage tab on top of the page.
    2. Navigate to Users | local Users & Groups page, click Local Users tab.
    3. Click the Add button to get Add User window.
    4.  Enter a Name and Password for the user. 
    5. Click on the Group Membership tab.
      Image

    6.  Select the appropriate group to give the user Administrator privileges.
      Limited Administrators - The user has limited administrator configuration privileges. 
      SonicWall Administrators - The user has full administrator configuration privileges. 
      SonicWall Read-Only Admins - The user can view the entire management interface, but cannot make any changes to the configuration. 

    7. Click the right arrow button and click OK.
    8. To configure the multiple administrator feature such that administrators are logged out when they are preempted, navigate to the Appliance | Base Settings page under Manage tab.
    9. Select the Log out radio button for the On preemption by another administrator option and click Accept.
      Image

    Additional Administrative Roles:

    The additional roles can be enabled by setting the ‘Multiple Administrative Roles’ under Manage | Appliance | Base Settings page.

    Image

    1. System Administrator (System): This role gives access to certain sections of the firewall that can help check the health of the firewall.
      Image
    2. Cryptographic Administrator (Crypto): This role gives access to the VPN sections of the firewall alone.
      Image
    3. Audit Administrator (Audit): This role gives access to the sections that could be necessary for auditing purposes.
      Image

    You cannot make a user part of Administrators and any one of the extra management roles like System Administrators, Cryptographic (Crypto) Administrators, or Audit Administrators and it will give you the following error.

    Image

    Preempting Administrators

    When an administrator attempts to log in while another administrator is logged in, the following message is displayed. The message displays the current administrator’s user name, IP address, phone number (if it can be retrieved from LDAP), and whether the administrator is logged in using the GUI or CLI.

     Image

    This window gives you three options:

    • Continue - Preempts the current administrator. The current administrator is dropped to non-config mode and you are given full administrator access. 
    • Non-config - You are logged into the appliance in non-config mode. The current administrator’s session is not disturbed. 
    • Cancel - Returns to the authentication screen.


    Activating Configuration Mode 

    • When logging in as a user with administrator rights (that is not the admin user), the User Login Status Popup window is displayed.
      Image

    Disabling the User Login Status Popup 

    You can disable the User Login Status Popup window if you prefer to allow certain users to log in solely for the purpose of managing the appliance, rather than for privileged access through the appliance. To disable the Popup window, select the Members go straight to the management UI on web login checkbox when adding or editing the local group.

    If you want some user accounts to be administrative only, while other users need to log in for privileged access through the appliance, but also with the ability to administer it (that is, some go straight to the management interface on login, while others get the User Login Status Popup window with a Manage button), this can be achieved as follows:

    1.  Create a local group with the Members go straight to the management UI on web login checkbox selected.
    2. Add the group to the relevant administrative group, but do not select this checkbox in the administrative group.
    3.  Add those user accounts that are to be administrative-only to the new user group. The User Login Status Popup window is disabled for these users.
    4. Add the user accounts that are to have privileged and administrative access directly to the top-level administrative group.


    Viewing Multiple Administrator Related Log Messages

    Log messages are generated for the following events:

    1.  A GUI or CLI user begins configuration mode (including when an admin logs in).
    2. A GUI or CLI user ends configuration mode (including when an admin logs out).
    3. A GUI user begins management in non-config mode (including when an admin logs in and when a user in configuration mode is preempted and dropped back to read-only mode).
    4.  A GUI user begins management in read-only mode.
    5. A GUI user terminates either of the above management sessions (including when an admin logs out).  





    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.



    1. While logged in as admin, navigate to the Users | Local Users page.
    2.  Click Add User button.
    3. Enter a Name and Password for the user.
    4. Click on the Group Membership tab.
      Image
    5. Select the appropriate group to give the user Administrator privileges.

       Limited Administrators - The user has limited administrator configuration privileges.
      SonicWall Administrators - The user has full administrator configuration privileges. 
       SonicWall Read-Only Admins - The user can view the entire management interface, but cannot make any changes to the configuration.

    6. Click the right arrow button and click OK.
    7. To configure the multiple administrator feature such that administrators are logged out when they are preempted, navigate to the System | Administration page.
    8. Select the Log out radio button for the On preemption by another administrator option and click Accept.


    Preempting Administrators

    When an administrator attempts to log in while another administrator is logged in, the following message is displayed. The message displays the current administrator’s user name, IP address, phone number (if it can be retrieved from LDAP), and whether the administrator is logged in using the GUI or CLI.

     Image

    This window gives you three options:

    •  Continue - Preempts the current administrator. The current administrator is dropped to non-config mode and you are given full administrator access. 
    • Non-config - You are logged into the appliance in non-config mode. The current administrator’s session is not disturbed.
    • Cancel - Returns to the authentication screen.

    Activating Configuration Mode 

    • When logging in as a user with administrator rights (that is not the admin user), the User Login Status Popup window is displayed.
      Image
    • To go to the SonicWall user interface, click Manage button. You will be prompted to enter your password again. This is a safeguard to protect against unauthorized access when administrators are away from their computers and do not log out of their session.
      Image


    Disabling the User Login Status Popup 

    You can disable the User Login Status Popup window if you prefer to allow certain users to log in solely for the purpose of managing the appliance, rather than for privileged access through the appliance. To disable the Popup window, select the Members go straight to the management UI on web login checkbox when adding or editing the local group.

    If you want some user accounts to be administrative only, while other users need to log in for privileged access through the appliance, but also with the ability to administer it (that is, some go straight to the management interface on login, while others get the User Login Status Popup window with a Manage button), this can be achieved as follows:

    1. Create a local group with the Members go straight to the management UI on web login checkbox selected.
    2.  Add the group to the relevant administrative group, but do not select this checkbox in the administrative group.
    3. Add those user accounts that are to be administrative-only to the new user group. The User Login Status Popup window is disabled for these users.
    4. Add the user accounts that are to have privileged and administrative access directly to the top-level administrative group.


    Viewing Multiple Administrator Related Log Messages

    Log messages are generated for the following events:

    1. A GUI or CLI user begins configuration mode (including when an admin logs in).
    2.  A GUI or CLI user ends configuration mode (including when an admin logs out).
    3.  A GUI user begins management in non-config mode (including when an admin logs in and when a user in configuration mode is preempted and dropped back to read-only mode).
    4.  A GUI user begins management in read-only mode.
    5.  A GUI user terminates either of the above management sessions (including when an admin logs out).  

    Related Articles

    • Identical Access Rules for different users/user groups
    • Advanced Network Security eLearning Training Course
    • Network Security Essentials eLearning Training Course

    Categories

    • Firewalls > NSa Series > User Login
    • Firewalls > TZ Series > User Login
    • Firewalls > NSv Series > User Login

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top