User Permissions
You can change the administrator or monitor passwords and define role-based users for the selected security policy in the User Permissions page.
For details about user permissions, see Managing user permissions.
Capability-Based Accounts the system uses these accounts based on what actions the user can take:
• Admin—The system administrator user has full privileges. For example, as an administrator you may set and modify configuration settings, add and delete users, restart the optimization service, reboot the SteelHead, and create and view performance and system reports. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself.
• Monitor—A monitor user may view reports, view user logs, and change their password. A monitor user can’t make configuration changes, modify private keys, view logs, or manage cryptographic modules in the system.
• Max Web Login Limit—You can configure the maximum number of logins to the web UI for the specified user. The default value is -1 which allows for unlimited logins.
• Max CLI Login Limit—Configure the maximum number of logins to the CLI for this user. The default value is -1 which allows for unlimited logins.
• Enable Account—check this box to enable the specified account.
Role-Based Accounts you can also create users, assign passwords to the user, and assign varying permissions based on the roles of the user.
An administrator role configures a system administrator role. Read-only permission isn’t allowed for this role. This role allows permission for all other RBM roles, including creating, editing and removing user accounts. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself.
A user role determines whether the user has permission to:
• Read-only—With read-only privileges you can view current configuration settings but you can’t change them.
• Read/write—With read and write privileges you can view settings and make configuration changes for a feature.
• Deny—With deny privileges you can’t view settings or save configuration changes for a feature.
As an example, you might have user Jane who can make configuration changes to QoS and SSL whereas user John can only view these configuration settings; and finally, user Joe can’t view, change, or save the settings for these features.
Available menu items reflect the privileges of the user. For example, any menu items that a user doesn’t have permission to use are unavailable. When a user selects an unavailable link, the User Permissions page appears.
Combining permissions by feature
RiOS 9.0 and later require additional user permissions for path selection and QoS. For example, to change a QoS rule, a user needs read/write permission for the Network Settings role in addition to read/write permission for QoS.
This table summarizes the changes to the user permission requirements for RiOS 9.0 and later.
Management Console page | To configure this feature or change this section | Required read permission | Required read/write permission |
Networking > Topology: Sites & Networks | Networks | Network Settings Read-Only | Network Settings read/write |
| Sites | Network Settings Read-Only QoS Read-Only Path Selection Read-Only | Network Settings read/write QoS read/write Path Selection read/write |
Networking > App Definitions: Applications | Applications | Network Settings Read-Only | Network Settings read/write |
Networking > Network Services: Quality of Service | Enable QoS | Network Settings Read-Only | Network Settings read/write |
| Manage QoS Per Interface | Network Settings Read-Only | Network Settings read/write |
| QoS Profile | QoS Read-Only | QoS read/write |
| QoS Remote Site Info | Network Settings Read-Only QoS Read-Only | — |
Networking > Network Services: QoS Profile Details | Profile Name | QoS Read-Only | QoS read/write |
| QoS Classes QoS Rules | QoS Read-Only QoS Read-Only | QoS read/write Network Settings read/write QoS read/write |
Path Selection | Enable Path Selection Path Selection Rules Uplink Status | Network Settings Read-Only Network Settings Read-Only Path Selection Read-Only Network Settings Read-Only Path Selection Read-Only Reports read/write | Network Settings read/write Network Settings read/write Path Selection read/write — |
Outbound QoS Report | | QoS Read-Only | QoS read/write |
Inbound QoS Report | | QoS Read-Only | QoS read/write |
Host Labels | | Network Settings Read-Only or QoS Read-Only | Network Settings read/write or QoS read/write |
Port Labels | | Network Settings Read-Only or QoS Read-Only | Network Settings read/write or QoS read/write |
These configuration options are available:
admin/monitor changes the password or creates a default user account. Click the right arrow.
Change Password enables password protection. Password protection is an account control feature that allows you to select a password policy for more security. When you enable account control on the Administration > Security: Password Policy page, a user must use a password.
When a user has a null password to start with, the administrator can still set the user password with account control enabled. However, once the user or administrator changes the password, it can’t be reset to null as long as account control is enabled.
Password specifies a password in the text box.
Password Confirm confirms the new administrator password.
Enable Account enables or clears the administrator or monitor account.
When enabled, you may make the account the default user for Radius and TACACS+ authorization. You may only designate one account as the default user. Once enabled, the default user account may not be disabled or removed. The Accounts table displays the account as permanent.
Adding a new account
A role-based account can’t modify another role-based or capability-based account.
These configuration options are available:
Add a New Account displays the controls for creating a new account.
Account Name specifies a name for the account.
Password specifies a password in the text box, and then retype the password for confirmation.
Enable Account enables the new account.
Administrator configures a system administrator role. This role allows permission for all other RBM roles, including creating, editing, and removing user accounts. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself. Read-only permission isn’t allowed for this role.
User configures a role that determines whether the user:
• has permission to view current configuration settings but not change them (Read-Only).
• has permission to view settings and make configuration changes for a feature (read/write).
• is prevented from viewing or saving settings or configuration changes for a feature (Deny).
General Settings configures per-source IP connection limit and the maximum connection pooling size.
Network Settings configures these features:
• Topology definitions
• Site and network definitions
• Application definitions
• Host interface settings
• Network interface settings
• DNS cache settings
• Hardware assist rules
• Host labels
• Port labels
You must include this role for users configuring path selection or enforcing QoS policies in addition to the QoS and Path Selection roles.
QoS enforces QoS policies. You must also include the Network Settings role.
Path Selection configures path selection. You must also include the Network Settings role.
Optimization Service configures alarms, performance features, SkipWare, HS-TCP, and TCP optimization.
SteelHead In-Path Rules configures TCP traffic for optimization and how to optimize traffic by setting in-path rules. This role includes WAN visibility to preserve TCP/IP address or port information. For details about WAN visibility, see the SteelHead Deployment Guide.
CIFS Optimization configures CIFS optimization settings (including SMB signing) and overlapping open optimization.
HTTP Optimization configures enhanced HTTP optimization settings: URL learning, Parse and Prefetch, Object Prefetch Table, keepalive, insert cookie, file extensions to prefetch, and the ability to set up HTTP optimization for a specific server subnet.
Oracle Forms Optimization optimizes Oracle E-business application content and forms applications.
MAPI Optimization optimizes MAPI and sets Exchange and NSPI ports.
NFS Optimization configures NFS optimization.
Notes Optimization configures Lotus Notes optimization.
Citrix Optimization configures Citrix optimization.
SSL Optimization configures SSL support and the secure inner channel.
Replication Optimization configures the SRDF/A, FCIP, and SnapMirror storage optimization modules.
Storage Service configures branch storage services on SteelFusion Edge appliances (the branch storage services are only available on a SteelFusion Edge).
Security Settings configures security settings, including RADIUS and TACACS authentication settings and the secure vault password.
Basic Diagnostics customizes system diagnostic logs, including system and user log settings, but doesn’t include TCP dumps.
TCP Dumps customizes TCP dump settings.
Reports sets system report parameters.
Domain Authentication allows joining a Windows domain and configuring Windows domain authentication.
Citrix Acceleration configures Citrix optimization.
Add adds your settings to the system.