How Does Multiple Administrators Support Work In SonicOS Enhanced?
05/21/2020 1067 14719
How Does Multiple Administrators Support Work in SonicOS Enhanced?
Overview / Scenario:
SonicOS Enhanced release 4.0 introduced support for multiple concurrent administrators. This feature allows for multiple users to log-in with full administrator privileges. In addition to using the default admin user name, additional administrator usernames can be created.
Because of the potential for conflicts caused by multiple administrators making configuration changes at the same time, only one administrator is allowed to make configuration changes. The additional administrators are given full access to the GUI, but they cannot make configuration changes.
TIP: For step by step details on configuring Multiple Administrators access the See Also section.
The following sections describe how the Multiple Administrators Support feature works:
In order to allow multiple concurrent administrators, while also preventing potential conflicts caused by multiple administrators making configuration changes at the same time, the following configuration modes have been defined:
• Configuration mode - Administrator has full privileges to edit the configuration. If no administrator is already logged into the appliance, this is the default behavior for administrators with full and limited administrator privileges (but not read-only administrators). Note Administrators with full configuration privilege can also log in using the Command Line Interface (CLI).
• Read-only mode - Administrator cannot make any changes to the configuration, but can view the browse the entire management UI and perform monitoring actions. Only administrators that are members of the SonicWall Read-Only Admins user group are given read-only access, and it is the only configuration mode they can access.
• Non-configuration mode - Administrator can view the same information as members of the read-only group and they can also initiate management actions that do not have the potential to cause configuration conflicts.
Only administrators that are members of the SonicWall Administrators user group can access non-configuration mode. This mode can be entered when another administrator is already in configuration mode and the new administrator chooses not to preempt the existing administrator. By default, when an administrator is preempted out of configuration mode, he or she is converted to non-configuration mode. On the System > Administration page, this behavior can be modified so that the original administrator is logged out.
Table 1 provides a summary of the access rights available to the configuration modes. Access rights for limited administrators are included also, but note that this table does not include all functions available to limited administrators.
The Multiple Administrators Support feature introduces two new default user groups:
• SonicWall Administrators - Members of this group have full administrator access to edit the configuration.
• SonicWall Read-Only Admins - Members of this group have read-only access to view the full management interface, but they cannot edit the configuration and they cannot switch to full configuration mode.
It is not recommended to include users in more than one of these user groups. However, if you do so, the following behavior applies:
• If members of the SonicWall Administrators user group are also included in the Limited Administrators or SonicWall Read-Only Admins user groups, the members will have full administrator rights.
• If members of the Limited Administrators user group are included in the SonicWall Read-Only Admins user group, the members will have limited administrator rights.
Priority for Preempting Administrators
The following rules govern the priority levels that the various classes of administrators have for preempting administrators that are already logged into the appliance:
1. The admin user and SonicWall Global Management System (GMS) both have the highest priority and can preempt any users.
2. A user that is a member of the SonicWall Administrators user group can preempt any users except for the admin and SonicWall GMS.
3. A user that is a member of the Limited Administrators user group can only preempt other members of the Limited Administrators group.
GMS and Multiple Administrator Support
When using SonicWall GMS to manage a SonicWall security appliance, GMS frequently logs in to the appliance (for such activities as ensuring that GMS management IPSec tunnels have been created correctly). These frequent GMS log-ins can make local administration of the appliance difficult because the local administrator can be preempted by GMS.
Additional Administrator Roles:
We have three new management roles available. They are not available by default but can be enabled from the Manage | Appliance | Base Settings tab. You can enable the check-box for 'Enable Multiple Administrative Roles' under the Multiple Administrators section.
- System Administrator: Members of this group have access to a specific section of the UI important for checking the health of the firewall and some important configurations.
- Cryptographic Administrator: Members of this group get access to the VPN section of the firewall to make cryptographic changes.
- Audit Administrator: Members of this group get access to a very limited section of the firewall for auditing purposes.
All the above roles are administrative roles and cannot be coupled with SonicWall Administrators, SonicWall Read-Only Administrators, Limited Administrators, Guest Administrators, or even with each other. The SonicWall will show the Error 'System, Crypto, and Audit Administrators can't share admin privileges with other admins' if you try to do so.
UTM: How to Configure Additional Administrators User Profiles in SonicOS Enhanced?
UTM: How to Configure Additional Administrators Locally when Using LDAP or RADIUS in SonicOS Enhanced?
UTM: How to switch from non-config mode to full configuration mode while access SonicWall Management Interface in SonicOS Enhanced?
Source: SonicOS Enhanced 5.0 Multiple Administrators Feature Module