This document describes the various administrative access levels, or predefined user roles, that are available on the Email Security Appliance (ESA).
What are the levels of administrative access available on the ESA?
When you create a new user account, you assign the user to a predefined or a custom user role. Each user role contains different levels of privileges within the OS and appliance access, as follows:
User accounts with the Administrator role have full access to all configuration settings of the system. However, only the admin user has access to the resetconfig and revert commands.
User accounts with the Operator role are restricted from:
Creating or editing user accounts.
Issuing the resetconfig command.
Upgrading the appliance.
Issuing the systemsetup command or running the System Setup Wizard.
Issuing the adminaccessconfig command.
Performing some quarantine functions (including creating, editing, deleting, and centralizing quarantines).
Modifying LDAP server profile settings other than username and password, if LDAP is enabled for external authentication.
Otherwise, they have the same privileges as the Administrator role.
User accounts with the Read-Only Operator role have access to view configuration information. Users with the Read-Only Operator role can make and submit changes to see how to configure a feature, but they cannot commit them. Users with this role can manage messages in quarantines, if access is enabled in a quarantine.
Users with this role cannot access the following:
File system, FTP, or SCP.
Settings for creating, editing, deleting, or centralizing quarantines.
Users accounts with the Guest role can only view status information. Users with the Guest role can also manage messages in quarantines, if access is enabled in a quarantine. Users with the Guest role cannot access Message Tracking.
User accounts with the Technician role can perform system upgrades, reboot the appliance, and manage feature keys. Technicians can also perform the following actions in order to upgrade the appliance:
Suspend email delivery and receiving.
View status of workqueue and listeners.
Save and email configuration files.
Back up safelists and blocklists. Technicians cannot restore these lists.
Disconnect the appliance from a cluster.
Enable or disable remote service access for Cisco technical support.
Raise a support request.
Help Desk Users
User accounts with the Help Desk User role are restricted to:
Managing messages in quarantines.
Users with this role cannot access to the rest of the system, including the CLI. You need to enable access in each quarantine before a user with this role can manage them.
Custom user role
User accounts with a custom user role can only access email security features assigned to the role. These features can be any combination of DLP policies, email policies, reports, quarantines, local message tracking, encryption profiles, and the Trace debugging tool. The users cannot access system configuration features. Only administrators can define custom user roles.
Note: Users assigned to custom roles cannot access the CLI.
The default user account for the system, admin, has all administrative privileges. The admin user account cannot be deleted, but you can change the password and lock the account.
Although there is no limit to the number of user accounts that you can create on the appliance, you cannot create user accounts with names that are reserved by the system. For example, you cannot create the user accounts named "operator" or "root."
All roles defined per above can access both the GUI and the CLI, except the Help Desk User role and custom user roles, which can only access the GUI.