Managing TOS Classic Users

• Overview
• What Can I Do Here?
• How Do I Get Here?

Overview

All users can change their own account details. Only administrators can add, change and delete other user accounts.

Types of User - Single Domain

By default, all users and devices belong to a single domain. there are two types of users:

• Administrator
• User

All users can manage policy revisions, and configure and run queries, audits, and reports, for their assigned devices.

The following actions are available only to administrators:

• Configure system-level settings such as users and Network zones.
• Add or configure monitored devices.
• Assign Users specific devices in the organization's deployment.

• Administrative supervision over other users' queries, audits and reports.

Types of User - Multi-Domain

If you have configured your system for multi-domains, the two types of user are replaced by four different types of users:

• Super Administrator
• Multi-Domain Administrator
• Multi-Domain User
• Domain User

After the first additional (non-default) Domain is defined, existing administrators become Super Administrators and existing users become Multi-Domain Users. The scope of each is shown below.

		Permitted actions (within permission scope)
	Permission scope	System-level configuration, and Unified Security Policy	Users Devices Zones Edit Topology View Topology	Policy Mgmt Auditing Analysis Reporting
Super Administrator	All
Multi-Domain Administrator	One or more domains	Configure/Create intra-domain USPs only.	Configure Domain Users only. For default Domain, only edit Topology.
Multi-Domain User	One or more domains
Domain User	One domain

• Super Administrator - Full permissions, for all Domains, and for all SecureTrack actions including system-level configuration and Unified Security Policy.
• Multi-Domain Administrator - Defined by Super Administrator and given permission for one or more specified Domains (including any devices to be added in the future to the Domain), including (optionally) the default Domain. For devices in any of these Domains, can perform policy management, analysis, auditing, and reporting, and can view and modify the Topology. For any of these Domains except the default Domain, can configure device monitoring, Domain Users, and Network zones.
• Multi-Domain User - Defined by Super Administrator and given permission for one or more specified monitored devices (group-selectable by Domain, but applying only to currently configured devices). For these devices, can perform policy management, analysis, auditing, and reporting.
• Domain User - Defined by Administrator (Super or Multi-Domain) and given permission for one specified Domain (not the default Domain). For this Domain, can perform policy management, analysis, auditing, and reporting.

Administrators have administrative supervision over other users' reports, queries, and audits.

Managing Users in a Multi-Domain Environment

In a Multi-Domain environment, a Multi-Domain Administrator who wants to add or configure a Domain User must be in the context for that Domain. A Super Administrator who wants to add or configure a Multi-Domain Administrator for more than one Domain, or a Multi-Domain User, or another Super Administrator, must be in the Global context (All Domains).

Administrative Supervision

SecureTrack Administrators can manage reports, queries, audits, and alerts that were created by Users and by other Administrators. This includes viewing, running, and editing the output (scheduling and recipients). Regular Users can only see reports that they themselves created.

In the various reports, analysis, and audit pages in SecureTrack, logged-in Administrators can select only reports, queries, or alerts that they created, or all available ones. For example:

If you have configured your system for managing multi-domains, reports (configured and generated), queries, audits, and alerts are only available for the domains in which they were created. Super Administrators can manage any reports (in the domain contexts in which they were created). Multi-Domain Administrators have administrative supervision only in Domain contexts for which they have permissions (but not in the Global context), over reports created by other Multi-Domain Administrators and by Domain Users (but not over reports created by Super Administrators or by Multi-Domain Users).

What Can I Do Here?

• Manage your own account
• Add a new user
• Edit a user
• Add an administrator using st_add_user

Manage Your Own Account

You can change some details of your own user account, including your name, email address, enable or disable administrative alerts, and your password.

Add a New User

Existing users are listed. From the list, you can Edit () a user's properties, or Delete () a user:

To add a user, click New. The new user's properties appear:

Available options under Device Permissions depend on the selected user type (Permissions) and, in a Multi-Domain environment, on the current context.

In a Multi-Domain environment, when adding or configuring a Multi-Domain User, devices are categorized and selectable by Domain, but the actual permissions are defined by device. Even when a whole Domain is selected, permissions are not automatically applied to devices added in the future.

• In the First Name and Last Name fields, the following characters are allowed: Characters in all languages, integers 0–9, special characters + -_ # @ . , : = ! ^ ( ) and blank spaces.

• Authentication Method is either Local (the password is defined here), SSO Authentication , RADIUS or TACACS+. If you select RADIUS or TACACS+, make sure the user's name here exactly matches the name in the RADIUS or TACACS+ server.
• Permissions define the user type. Available options depend on whether or not multi-domain is configured, on the current domain context (Global or selected domain) and on the type of the logged-in user.
• An Email Address is required for notifications, alerts, and reports. The Email field must be in the standard email format
• Administrative Alerts can also be enabled from the Notifications page.

Click Save to add the user. The new user will be prompted to reset the password when logging in to the TOS Classic UI for the first time and must do so before performing other functions such as running REST APIs and connecting from SecureChange.

Edit a User

All existing users are displayed. Click to Edit () a user's properties, or Delete () a user:

User details:

Make changes and click Save to update the user. If you change the password, the user will be prompted to reset the password when next logging in to the TOS Classic UI and must do so before performing other functions such as running REST APIs and connecting from SecureChange.

How Do I Get Here?

To manage other user accounts: In TOS Classic, go to Settings > Configuration > Users.

To manage your own account: In TOS Classic, go to Settings > My Settings > Account Details.