Manage Local Users

The Users tab under System > User Manager is where individual users are managed.

Note

The admin user cannot be deleted and its username may not be changed.

Creating and Editing Users

The first step is always to add the user and save. Privileges can only be added to existing users, they cannot be added when creating a new user.

Tip

If multiple users need the same privileges, the most efficient method is to add a group and then add users to the group.

To add a new user:

  • Navigate to System > User Manager

  • Click fa-plus Add

To edit an existing user:

  • Navigate to System > User Manager

  • Click fa-pencil on the row containing the user

User Settings

When creating or editing a user, the following options are available:

Disabled:

This checkbox controls whether this user will be active. To deactivate this account, check the option.

Username:

Sets the login name for the user. This field is required, must be 16 characters or less and may only contain letters, numbers, and a period, hyphen, or underscore.

Password / Confirm Password:

The password for this user. Ensure the two fields match to confirm the password.

This password cannot be set to the same value as the username. Additionally, on pfSense Plus software version 24.03 and later, the password cannot be set to the default value (Default Username and Password).

Note

Passwords are stored in the configuration as salted hashes, not plain text.

Tip

GUI users can also change their own password using the User Password Manager page.

Full Name:

Optional field which can be used to enter a longer name or a description for this user account.

Expiration Date:

Optional date at which the firewall will automatically deactivate this user account. The date must be entered in MM/DD/YYYY format.

Custom Settings:

Enables options for per-user custom GUI settings. See Per-user GUI Options and Dashboard Layout for details.

Group Memberships:

If one or more groups exist on the firewall (Manage Local Groups), this control can add the user as a member.

To add a group for this user:

  • Click the group name in the Not Member Of column

  • Click fa-angle-double-right to move it to the Member Of column

To remove a group from the user:

  • Click the group name in the Member Of column

  • Click fa-angle-double-left to move it to the Not Member Of column

Effective Privileges:

A list of privileges this user has, either directly assigned or inherited by group membership.

Appears only when editing an existing user, not when creating a user.

Privilges assigned to the user may be edited by these controls, but group privileges cannot. Group privileges must be managed on the group.

See also

See Privileges for information on managing privileges.

Certificate:

Certificates associated with this user account.

The behavior of this section changes depending on whether the page is creating a new user or editing an existing user. This section is disabled if there are no internal certificate authorities defined on the firewall capable of signing a certificate.

To create a certificate while adding a user:

  • Check Click to create a user certificate

  • Fill in the Descriptive name

  • Choose a Certificate Authority

  • Select a Key Type and Key Length

  • Select a Digest Algorithm

  • Enter a Lifetime

See also

For more information on these parameters, see Create an Internal Certificate.

When editing a user, this section of the page instead becomes a list of certificates associated with this user account.

To create a certificate for an existing user:

To associate an existing certificate with this user:

  • Set Method to Choose an Existing Certificate

  • Select an entry from the Existing Certificate list

  • Click Save

Authorized SSH keys:

Public keys for SSH and SCP authentication.

To add a key, paste or enter in the key data. Multiple keys are allowed, one per line.

Warning

Only enter authorized keys into this field. Do not add them to files in user home directories. Those files will be overwritten by the GUI the next time account information is synchronized to disk (e.g. at boot time).

IPsec Pre-Shared Key:

Pre-Shared Key (PSK) for this user to connect to a non-xauth Pre-Shared Key mobile IPsec setup.

If a PSK is entered here, the username is used as the identifier. The PSK is also displayed under VPN > IPsec on the Pre-Shared Keys tab.

Note

This field has no effect for IKEv2 or xauth mobile IPsec.

Keep Command History:

If this user has shell access, this option preserves the last 1000 unique commands entered at a shell prompt between login sessions. The user can access history using the up and down arrows at an SSH or console shell prompt and search the history by typing a partial command and then using the up or down arrows.

Per-user GUI Options and Dashboard Layout

Each user can have their own settings for various GUI options and their dashboard layout. To enable this for a user, check the Custom Settings box when adding or editing the user.

When that option is active, additional GUI options for the user are present on the user account page. Additionally, the user can have their own personal dashboard layout, starting from the system-wide layout.

Choose the other GUI options desired for the user such as theme, top navigation, host name in menu, dashboard columns, show/hide associated panels, left column labels and browser tab text.

Tip

Users with the WebCfg - System: User Settings privilege may adjust their own GUI options.

Users in the admin group already have this privilege.

A user with Custom Settings enabled and the User Settings privilege will have menu option System > User Settings. The user can select this to change the GUI options for their account.

When a user with Custom Settings adds, moves or removes dashboard widgets, the custom dashboard layout is saved in the preferences for only that user.