Working with User Accounts
The Cisco appliance provides two methods for adding user accounts: creating user accounts on the Cisco appliances itself, and enabling user authentication using your own centralized authentication system, which can be either an LDAP or RADIUS directory. You can manage users and connections to external authentication sources on the System Administration > Users page in the GUI (or by using the userconfig command in the CLI). For information about using an external directory to authenticate users, see External Authentication.
-
The System Administration > Users page in the web interface. See Two-Factor Authentication.
-
The
userconfig > twofactorauth
command in the CLI. See the CLI Reference Guide for AsyncOS for Cisco Email Security Appliances .
The default user account for the system, admin, has all administrative privileges. The admin user account cannot be deleted, but you can change the passphrase and lock the account.
When you create a new user account, you assign the user to a predefined or a custom user role. Each role contains differing levels of permissions within the system.
Although there is no limit to the number of user accounts that you can create on the appliance , you cannot create user accounts with names that are reserved by the system. For example, you cannot create the user accounts named “operator” or “root.”
User Roles
User Role |
Description |
||
---|---|---|---|
admin |
The admin user is the default user account for the system and has all administrative privileges. The admin user account is listed here for convenience, but it cannot be assigned via a user role, and it cannot be edited or deleted, aside from changing the passphrase. Only the admin user can issue the resetconfig and revert commands. |
||
Administrator |
User accounts with the Administrator role have full access to all configuration settings of the system. However, only the admin user has access to the resetconfig and revert commands.
|
||
Technician |
User accounts with the Technician role can perform system upgrades, reboot the appliance , and manage feature keys. Technicians can also perform the following actions in order to upgrade the appliance :
|
||
Operator |
User accounts with the Operator role are restricted from:
Otherwise, they have the same privileges as the Administrator role. |
||
Guest |
Users accounts with the Guest role can only view status information and reports. Users with the Guest role can also manage messages in quarantines, if access is enabled in a quarantine. Users with the Guest role cannot access Message Tracking. |
||
Read-Only Operator |
User accounts with the Read-Only Operator role have access to view configuration information. Users with the Read-Only Operator role can make and submit changes to see how to configure a feature, but they cannot commit them. Users with this role can manage messages in quarantines, if access is enabled in a quarantine. Users with this role cannot access the following:
|
||
Help Desk User |
User accounts with the Help Desk User role are restricted to:
Users with this role cannot access to the rest of the system, including the CLI. You need to enable access in each quarantine before a user with this role can manage them. |
||
Custom user role |
User accounts with a custom user role can only access email security features assigned to the role. These features can be any combination of DLP policies, email policies, reports, quarantines, local message tracking, encryption profiles, and the Trace debugging tool Trace debugging tool, . The users cannot access system configuration features, including enabling features globally. Only administrators can define custom user roles. See Managing Custom User Roles for Delegated Administration for more information.
|
All roles defined in the above table can access both the GUI and the CLI, except the Help Desk User role and custom user roles, which can only access the GUI.
If you use an LDAP directory to authenticate users, you assign directory groups to user roles instead of individual users. When you assign a directory group to a user role, each user in that group receives the permissions defined for the user role. For more information, see External Authentication.
Related Topics
Managing Users
The Users page lists the existing users for the system, including the username, full name, and user type or group.
From the Users page, you can:
-
Add new users. For more information, see Adding Users.
-
Delete users. For more information, see Deleting Users.
-
Edit users, such as changing a user’s passphrase and locking and unlocking a user’s account. For more information, see Editing Users.
-
Force users to change their passphrases. See Force Users To Change Their Passphrases.
-
Configure user account and passphrase settings for local accounts. For more information, see Configuring Restrictive User Account and Passphrase Settings.
-
Enable the appliance to use an LDAP or RADIUS directory to authenticate users. For more information, see External Authentication.
-
Enable two-factor authentication for specific user roles. For more information, see Two-Factor Authentication.
-
Enable access for non-administrators to DLP Matched Content in Message Tracking. See Controlling Access to Sensitive Information in Message Tracking for more information.
Adding Users
Before You Begin
- Determine the user roles you
will use.
- For descriptions of predefined user roles, see User Roles.
- To create custom roles, see Managing Custom User Roles for Delegated Administration.
- Specify your passphrase requirements. See Configuring Restrictive User Account and Passphrase Settings.
Procedure
Step 1 |
Choose System Administration > Users. |
Step 2 |
Click Add User. |
Step 3 |
Enter a login name for the user. Some words are reserved (such as “operator” or “root”). |
Step 4 |
Enter the user’s full name. |
Step 5 |
Select a predefined or custom user role. |
Step 6 |
Enter a passphrase. |
Step 7 |
Submit and commit your changes. |
Editing Users
Use this procedure to change a passphrase, etc.
Procedure
Step 1 |
Choose System Administration > Users. |
Step 2 |
Click the user’s name in the Users listing. |
Step 3 |
Make changes to the user. |
Step 4 |
Submit and commit your changes. |
Force Users To Change Their Passphrases
Procedure
Step 1 |
Choose System Administration > Users. |
Step 2 |
Select the users from the Users listing. |
Step 3 |
Click Enforce Passphrase Change. |
Step 4 |
Choose whether the users must change the passphrase during the next login or after a specified duration (in days). |
Step 5 |
(Optional) If you are enforcing a passphrase change after a specified duration, set the grace period (in days) to reset the passphrase after the passphrase expires. |
Step 6 |
Click OK. |
Step 7 |
Submit and commit your changes. |
Deleting Users
Procedure
Step 1 |
Click the trash can icon corresponding to the user’s name in the Users listing. |
Step 2 |
Confirm the deletion by clicking Delete in the warning dialog that appears. |
Step 3 |
Commit your changes. |
Controlling Access to Sensitive Information in Message Tracking
You may want to restrict administrative access to message details that are likely to include sensitive information:
- Messages that violate Data Loss Prevention (DLP) policies may include information such as corporate confidential information or personal information including credit card numbers and health records. By default, this content is visible to all users who have access to the appliance .
- URLs that are caught by outbreak filters or by content filters that are based on URL reputation or category may also be considered sensitive. By default, only users with Administrator privileges can view this content.
This sensitive content appears in dedicated tabs on the Message Details page for messages listed in Message Tracking results.
You can hide these tabs and their content from administrative users based on their user role. However, although there is an option to hide this sensitive content from users who have the Administrator role, any user with the Administrator role can change these permissions and thus view sensitive information at any time.
Before You Begin
Ensure that you have met the prerequisites for these features. See Displaying URL Details in Message Tracking.
Procedure
Step 1 |
Go to the System Administration > Users page. |
Step 2 |
Under Access to Sensitive Information in Message Tracking, click Edit Settings. |
Step 3 |
Select the roles for which you want to grant access to each type of sensitive information. Custom roles without access to Message Tracking can never view this information and thus are not listed. |
Step 4 |
Submit and commit your changes. |
What to do next
Related Topics