Privileges

Managing privileges for users and groups is done similarly, so both will be covered here rather than duplicating the effort. Whether a user or group is managed, the entry must be created and saved first before privileges can be added to the account or group.

To add privileges, edit an existing user or group and click fa-plus Add in the Assigned Privileges or Effective Privileges section.

The GUI presents a list of all available privileges. Privileges may be added one at a time by selecting a single entry, or by multi-select using ctrl-click or cmd-click. If other privileges are already present on the user or group, they are hidden from this list so they cannot be added twice. To search for a specific privilege by name, enter the search term in the Filter box and click fa-filter Filter.

Selecting a privilege will show a short description of its purpose in the information block area under the permission list and action buttons. Most of the privileges are self-explanatory based on their names, but a few notable permissions are:

WebCfg - All Pages:

Grants the user access to any page in the GUI

WebCfg - Dashboard (all):

Grants the user access to the dashboard page and all of its associated functions (widgets, graphs, etc.)

WebCfg - System: User Password Manager Page:

If the user has access to only this page, they can login to the GUI to set their own password but do nothing else.

User - VPN - IPsec xauth Dialin:

Allows the user to connect and authenticate for IPsec xauth

User - Config - Deny Config Write:

Prevents the user from making changes to the firewall configuration (config.xml).

Warning

This does not prevent the user from taking other actions that do not involve writing to the configuration.

User - System - Shell account access:

Grants the user the ability to login over SSH, though the user will not have root-level access so functionality is limited. A package for sudo is available to enhance this feature.

After login, the firewall will attempt to display the dashboard. If the user does not have access to the dashboard, the GUI will forward the user to the first page in their privilege list to which they have access.

Menus on the firewall only contain entries for which privileges exist on a user account. For example, if the only Diagnostics page that a user has access to is Diagnostics > Ping then no other items will be displayed in the Diagnostics menu.