Article Applies To:
Affected SonicWALL Security Appliance Platforms:
Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
TZ series: TZ 190, TZ 190 Wireless, TZ 210, TZ 210 W.
Affected Firmware versions: All Gen5 and Gen4 firmware versions (SonicOS Enhanced 4.0 and above)
Affected Services: User Management (Multiple SonicWALL Administrator Accounts)
Overview / Scenario:
SonicOS Enhanced release 4.0 introduced support for multiple concurrent administrators. This feature allows for multiple users to log-in with full administrator privileges. In addition to using the default admin user name, additional administrator usernames can be created.
Because of the potential for conflicts caused by multiple administrators making configuration changes at the same time, only one administrator is allowed to make configuration changes. The additional administrators are given full access to the GUI, but they cannot make configuration changes.
Please Note: Administrators with full configuration privilege can also log in using the Command Line Interface (CLI).
To configure additional administrator user profiles, perform the following steps:
Step 5: Select the appropriate group to give the user Administrator privileges:
• Limited Administrators - The user has limited administrator configuration privileges.
• SonicWALL Administrators - The user has full administrator configuration privileges.
• SonicWALL Read-Only Admins - The user can view the entire management interface, but cannot make any changes to the configuration.
Step 6: Click the right arrow button and click OK.
Step 7: To configure the multiple administrator feature such that administrators are logged out when they are preempted, navigate to the System > Administration page.
Step 8: Select the Log out radio button for the On preemption by another administrator option and click Accept.
When an administrator attempts to log in while another administrator is logged in, the following message is displayed. The message displays the current administrator’s user name, IP address, phone number (if it can be retrieved from LDAP), and whether the administrator is logged in using the GUI or CLI.
This window gives you three options:
• Continue - Preempts the current administrator. The current administrator is dropped to non-config mode and you are given full administrator access.
• Non-config - You are logged into the appliance in non-config mode. The current administrator’s session is not disturbed.
• Cancel - Returns to the authentication screen.
Activating Configuration Mode
When logging in as a user with administrator rights (that is not the admin user), the User Login Status popup window is displayed.
To go to the SonicWALL user interface, click the Manage button. You will be prompted to enter your password again. This is a safeguard to protect against unauthorized access when administrators are away from their computers and do not log out of their session.
You can disable the User Login Status popup window if you prefer to allow certain users to log in solely for the purpose of managing the appliance, rather than for privileged access through the appliance. To disable the popup window, select the Members go straight to the management UI on web login checkbox when adding or editing the local group.
If you want some user accounts to be administrative only, while other users need to log in for privileged access through the appliance, but also with the ability to administer it (that is, some go straight to the management interface on login, while others get the User Login Status popup window with a Manage button), this can be achieved as follows:
Viewing Multiple Administrator Related Log Messages
Log messages are generated for the following events:
UTM: How Does Multiple Administrators Support Work in SonicOS Enhanced?
UTM: How to Configure Additional Administrators Locally when Using LDAP or RADIUS in SonicOS Enhanced?
UTM: How to swith from non-config mode to full configuration mode while access SonicWALL Management Interface in SonicOS Enhanced?
Source: SonicOS Enhanced 5.0 Multiple Administrators Feature Module
SonicWALL NSA Series
4500, 3500, 2400, 240
SonicWALL E-Class NSA Series
E7500, E6500, E5500
SonicWALL TZ Series
SonicWALL PRO Series
5060, 4100, 4060, 3060, 2040, 1260
Created on: 2/4/2009
Last Update on: 9/3/2014