How Does Multiple Administrators Support Work?

Topics:
Configuration Modes
User Groups
Priority for Preempting Administrators
GMS and Multiple Administrator Support
Configuration Modes

In order to allow multiple concurrent administrators, while also preventing potential conflicts caused by multiple administrators making configuration changes at the same time, the following configuration modes have been defined:
Configuration mode - Administrator has full privileges to edit the configuration. If no administrator is already logged into the appliance, this is the default behavior for administrators with full and limited administrator privileges (but not read-only administrators).
* 
NOTE: Administrators with full configuration privilege can also log in using the Command Line Interface (CLI).
Read-only mode - Administrator cannot make any changes to the configuration, but can view the browse the entire management UI and perform monitoring actions.

Only administrators that are members of the SonicWall Read-Only Admins user group are given read-only access, and it is the only configuration mode they can access.
Non-configuration mode - Administrator can view the same information as members of the read-only group and they can also initiate management actions that do not have the potential to cause configuration conflicts.

Only administrators that are members of the SonicWall Administrators user group can access non-configuration mode. This mode can be entered when another administrator is already in configuration mode and the new administrator chooses not to preempt the existing administrator. By default, when an administrator is preempted out of configuration mode, he or she is converted to non-configuration mode. On the System > Administration page, this behavior can be modified so that the original administrator is logged out.

Access Rights Available Based on Configuration Mode provides a summary of the access rights available to the configuration modes. Access rights for limited administrators are included also, but note that this table does not include all functions available to limited administrators.

 

Access Rights Available Based on Configuration Mode

Function

Full admin in config mode

Full admin in non‑config mode

Read-only administrator

Limited administrator

Import certificates

X

 

 

 

Generate certificate signing requests

X

 

 

 

Export certificates

X

 

 

 

Export appliance settings

X

X

X

 

Download TSR

X

X

X

 

Use other diagnostics

X

X

 

X

Configure network

X

 

 

X

Flush ARP cache

X

X

 

X

Setup DHCP Server

X

 

 

 

Renegotiate VPN tunnels

X

X

 

 

Log users off

X

X

 

X
guest users only

Unlock locked-out users

X

X

 

 

Clear log

X

X

 

X

Filter logs

X

X

X

X

Export log

X

X

X

X

Email log

X

X

 

X

Configure log categories

X

X

 

X

Configure log settings

X

 

 

X

Generate log reports

X

X

 

X

Browse the full UI

X

X

X

 

Generate log reports

X

X

 

X
User Groups

The Multiple Administrators Support feature introduces two new default user groups:
SonicWall Administrators - Members of this group have full administrator access to edit the configuration.
SonicWall Read-Only Admins - Members of this group have read-only access to view the full management interface, but they cannot edit the configuration and they cannot switch to full configuration mode.

It is not recommended to include users in more than one of these user groups. However, if you do so, the following behavior applies:
If members of the SonicWall Administrators user group are also included in the Limited Administrators or SonicWall Read-Only Admins user groups, the members will have full administrator rights.
If members of the Limited Administrators user group are included in the SonicWall Read-Only Admins user group, the members will have limited administrator rights.
Priority for Preempting Administrators

The following rules govern the priority levels that the various classes of administrators have for preempting administrators who are already logged into the appliance:

1
The admin user and SonicWall Global Management System (GMS) both have the highest priority and can preempt any users.
2
A user who is a member of the SonicWall Administrators user group can preempt any users except for the admin and SonicWall GMS.
3
A user who is a member of the Limited Administrators user group can only preempt other members of the Limited Administrators group.
GMS and Multiple Administrator Support

When using SonicWall GMS to manage a SonicWall security appliance, GMS frequently logs in to the appliance (for such activities as ensuring that GMS management IPsec tunnels have been created correctly). These frequent GMS log-ins can make local administration of the appliance difficult because the local administrator can be preempted by GMS.