Predefined User Roles

Except as noted, you can assign each user a predefined user role with the privileges described in the following table, or a custom user role.

Descriptions of User Roles

User Role Name

Description

Web Reporting/Scheduled Reports Capability

admin

The admin user is the default user account for the system and has all administrative privileges. The admin user account is listed here for convenience, but it cannot be assigned via a user role, and it cannot be edited or deleted, aside from changing the passphrase.

Only the admin user can issue the resetconfig and revertcommands.

Yes/Yes

Administrator

User accounts with the Administrator role have full access to all configuration settings of the system.

Yes/Yes

Operator

User accounts with the Operator role are restricted from:

  • Creating or editing user accounts

  • Upgrading the appliance

  • Issuing the resetconfig command

  • Running the System Setup Wizard

  • Modifying LDAP server profile settings other than username and passphrase, if LDAP is enabled for external authentication.

  • Configuring, editing, deleting, or centralizing quarantines.

Otherwise, they have the same privileges as the Administrator role.

Yes/Yes

Technician

User accounts with the Technician role can initiate system administration activities such as upgrades and reboots, save a configuration file from the appliance, manage feature keys, and so forth.

Access to System Capacity reports under the Web and Email tabs

Read-Only Operator

User accounts with the Read-Only Operator role have access to view configuration information. Users with the Read-Only Operator role can make and submit most changes to see how to configure a feature, but they cannot commit them or make any change that does not require a commit. Users with this role can manage messages in quarantines, if access is enabled.

Users with this role cannot access the following:

  • File system, FTP, or SCP.

  • Settings for creating, editing, deleting or centralizing quarantines.

Yes/No

Guest

Users accounts with the Guest role can view status information including reports and Web Tracking, and manage messages in quarantines, if access is enabled. Users with the Guest role cannot access Message Tracking.

Yes/No

Web Administrator

User accounts with the Web Administrator role have access to all configuration settings under the Web tab.

Yes/Yes

Web Policy Administrator

User accounts with the Web Policy Administrator role can access the Web Appliance Status page and all pages in the Configuration Master. The web policy administrator can configure identities, access policies, decryption policies, routing policies, proxy bypass, custom URL categories, and time ranges. The web policy administrator cannot publish configurations.

No/No

Email Administrator

User accounts with the Email Administrator role have access to all configuration settings within the Email menu only, including quarantines.

No/No

Help Desk User

User accounts with the Help Desk User role are restricted to:

  • Message Tracking

  • Managing messages in quarantines

Users with this role cannot access the rest of the system, including the CLI. After you assign a user this role, you must also configure quarantines to allow access by this user.

No/No

Custom Roles

User accounts that are assigned a custom user role can view and configure only policies, features, or specific policy or feature instances that have been specifically delegated to the role.

These features can be access log subscriptions, Logging APIs, and log files.

You can create a new Custom Email User Role or a new Custom Web User Role from the Add Local User page. However, you must assign privileges to this Custom User Role before the role can be used. To assign privileges, go to Management Appliance > System Administration > User Roles and click the user name.

Note
Users assigned to a Custom Email User Role cannot access the CLI.

For more information, see Custom User Roles.

No/No