Document toolboxDocument toolbox

Creating Local Admins

Owned by Aliaksei Shautsou (Deactivated)
May 16, 2017
6 min read

When you create an admin account, you must specify the authentication type, name, password, and admin group of the administrator. You can also control in which time zone the appliance displays the time in the audit log and the DHCP and IPAM tabs of Grid Manager, such as the DHCP Lease History and DHCP Leases panels. The appliance can use the time zone that it automatically detects from the management system that the admin uses to log in.
Alternatively, you can override the time zone auto-detection feature and specify the time zone. To create an admin account and add it to an admin group:

  1. Log in as a superuser.
  2. From the Administration tab, select the Administrators tab -> Admins tab, and then click the Add icon.
    or
    From the Administration tab, select the Administrators tab -> Groups tab -> admin_group, and then click the Add icon.
  3. In the Add Administrator wizard, complete the following:
    • Authentication Type: You can select either Local or Remote from the drop-down list. The default is Local. When you select Local, NIOS authenticates admins against its local database. When you select Remote, NIOS authenticates admins based on the user credentials stored remotely on authentication servers, such as RADIUS servers, AD domain controllers, LDAP servers, or TACACS+ servers.
      Local: The following fields are displayed when you select Local authentication type. Enter the following:
      • Login: Enter a name for the administrator. This is the username that the administrator uses to log in to the appliance. This username is stored in the NIOS local database.
      • Password: Enter a password for the administrator. This is the password that the administrator uses to log in to the appliance. This password is stored in the NIOS local database.
      • Confirm Password: Enter the same password.

    Remote: The following field is displayed when you select Remote authentication type. Enter the following login credentials:

    • Login: Enter a name for the administrator that is stored in the database of the remote server. This is the username that the administrator uses to log in to the appliance.

Note: You cannot configure the Remote authentication type for NIOS admin users who belong to the fireeye-group admin groups.

  • Email Address: Enter the email address for this administrator. The appliance uses this email address to send scheduling notifications.
  • Admin Group: Click Select to specify an admin group. If there are multiple admin groups, Grid Manager displays the Admin Group Selector dialog box from which you can select one. An admin can belong to only one admin group at a time.

NIOS appliance creates a new group, fireeye-group, when you add the first FireEye zone. The FireEye admin group is read-only and you cannot assign permissions to it. Select fireeye-group for the admin group and add users to this group. For more information, see About FireEye Integrated RPZs.

Note: You cannot add a NIOS admin user that uses the Remote authentication type to the fireeye-group admin group.

  • Comment: Enter useful information about the administrator.
  • Disable: Select this check box to retain an inactive profile for this administrator in the configuration. For example, you might want to define a profile for a recently hired administrator who has not yet started work. Then when he or she does start, you simply need to clear this check box to activate the profile.

   4. Optionally, click Next to add extensible attributes to the admin account. For information, see About Extensible Attributes.

   5. Save the configuration and click Restart if it appears at the top of the screen.

Managing Passwords

Superusers can define requirements for the passwords of local admins according to your organization's policies. In addition to specifying the minimum password length, you can define rules that specify the character types that are allowed in the password. You can also specify whether passwords expire, their duration, and when reminders are sent to the users. Additionally, you can require admins to change their passwords when they first log in or after their passwords are reset.
You set the requirements at the Grid level, so they apply to all local admins who log in to the Grid. The requirements that you define appear in the User Profile of all local admins and when users are required to change their password.
To define the password requirements for local admins:

  1. From the Grid tab, select the Grid Manager tab.
  2. Expand the Toolbar and select Grid Properties -> Edit.
  3. In the Grid Properties editor, select the Password tab and complete the following:
    • Minimum Password Length: Specify the minimum number of characters that are required in a password.
    • Password Complexity: You can set up some requirements around how users compose a password by specifying the category and the number of characters and/or symbols the password must contain. The default is 0 for all categories, which means the password is not required to contain those characters. Specify the minimum number of characters the password must contain for the following:
      • lowercase characters [a-z]
      • uppercase characters [A-Z]
      • numeric characters [0-9]
      • symbol characters. Allowed characters are: ! @ # $ % ^ & *** ( )
      • character changes from previous passwords. To discourage users from reusing previous passwords, you can require a minimum change of characters from previous passwords.
    • Password must expire: Select this check box to enable passwords to expire after a specified period. Specify the duration of each password and the number of days before the expiration that the appliance sends a reminder.
    • Force password change at next login: Select this check box to force all new users to change their passwords when they first log in and to force existing users whose passwords were just reset to change their passwords.

Note: The "force password change at next login" feature does not apply to admin users in the fireeye-group. These users will not be prompted to change their passwords at the next login. Their original passwords continue to work. For information about FireEye integrated RPZs, see About FireEye Integrated RPZs.

   4. Click Save & Close.

Modifying and Deleting Admin Accounts

You can modify and delete admin accounts that you create, but you can only partially modify the default superuser account "admin"—and only when you are logged in as a superuser account. Furthermore, because there must always be a superuser account on the appliance, you can only remove the default "admin" account after you create another superuser account.
To modify an admin account:

  1. From the Administration tab, select the Administrators tab -> Admins tab -> admin_account check box, and then click the Edit icon.
    or
    From the Administration tab, select the Administrators tab -> Groups tab -> admin_group -> admin_account check box, and then click the Edit icon.
  2. The Administrator editor provides the following tabs from which you can modify data:
    • General: In the General Basic tab, modify data of the admin account as described in 21744399
      In the General Advanced tab, complete the following:
      • Time Zone: Select a time zone from the drop-down list if you want to specify the time zone for the administrator. By default, the appliance automatically detects the time zone from the management system that the administrator uses to connect to the appliance. The appliance uses this time zone when it displays the timestamps for relevant data.
      • Enable Certificate Authentication: Select the check box to enable the certificate authentication service. You must also specify the serial number of the client certificate and associate a CA certificate that signs the client certificate. For more information, see Enabling Certificate Authentication Service for a User.
    • Extensible Attributes: Add and delete extensible attributes that are associated with the admin account. You can also modify the values of the extensible attributes. For information, see About Extensible Attributes.
  3. Save the configuration and click Restart if it appears at the top of the screen.

To delete an admin account:

  1. From the Administration tab, select the Administrators tab -> Admins tab -> admin_account check box, and then click the Delete icon.
    or
    From the Administration tab, select the Administrators tab -> Groups tab -> admin_group -> admin_account check box, and then click the Delete icon.
  2. In the Delete Confirmation dialog box, click Yes.