19.2 Administrator Configuration and Privilege Management
19.2.1 Overview
The FortiBalancer appliance allows creating system administrators and specifying the access control level (Enable or Config) for administrators. If more flexible control over the administrator privilege is needed, the role-based privilege management can be used to control the CLI commands an administrator can execute.
19.2.2 System Administrator
The FortiBalancer appliance allows creating two types of administrator: administrator of the Enable level and administrator of the Config level. Administrators of the Enable level can execute only the commands allowed by the Enable and User levels. Administrators of the Config level can execute all the commands allowed by the Config, Enable and User levels.
19.2.3 Role-based Privilege Management
The role-based privilege management function can control the CLI commands that an administrator can execute by assigning roles to the administrator, thus realizing more flexible administrator privilege control.
One administrator can be assigned one or more roles, and the logic among the multiple roles is “OR”. If any role assigned to an administrator permits the execution of a command, then the administrator can execute this command; if all roles assigned to an administrator deny (or none of the roles permits) the execution of a command, the administrator cannot execute this command. If an administrator is not assigned any role, the administrator is allowed to execute all the commands of his access control level.
Role is a set of privilege rules. A privilege rule consists two parts: rule string and operation privilege.
- Rule String
Rule string defines one or a group of command configurations. Three forms of rule string are supported:
- Complete form: slb real http ‘r1’ 172.16.2.250 80 1 tcp 3 3
- Incomplete form with some parameters: slb real http ‘r1’
- Incomplete form with a part of the command body: slb real To configure eligible rule strings, please pay attention to the following notes:
- The command body cannot be abbreviated.
- The parameters are case-sensitive.
- The whole rule string needs to be enclosed in double quotes. If double quotes are further needed by some parameters in the rule string, please use single quotes instead.
- If the entered string has multiple consecutive spaces, the spaces will be regarded as one space.
The system will check the command entered by the administrator against the rule strings from the first letter. If the command is identical with or comprises a rule string, the command is regarded as matching the rule string and will follow the rule.
- Operation Privilege
There are two kinds of operation privileges: “permit” and “deny”. The privilege rules are consequently divided into “permit” rules and “deny” rules, which are respectively used to control that one command or a group of commands can or cannot be executed by certain roles. If a role is not configured with any “permit” rule, the role is not permitted to execute any command.
When a command matches a “permit” rule and a “deny” rule at the same time, the system will assume that the “deny” rule has a higher priority.
For example: role1:
- “permit” rule: “no slb group”
- “deny” rule: “no slb group method”
The system will deny the execution of commands starting with “no slb group method” by role1, but the execution of other commands starting with “no slb group” is permitted.
role2:
- “permit” rule: “no slb group method”
- “deny” rule: “no slb group”
Because the “deny” rule has a higher priority, the system will deny the execution of the commands starting with “no slb group” by role2, although the “permit” rule allows the execution of the commands starting with “no slb group method”.
To disallow a role from executing configuration, display and deletion operations about a feature (for example LLB), please configure the following privilege rule for this role:
- “deny” rule: “llb”
- “deny” rule: “no llb”
- “deny” rule: “show llb”
- “deny” rule: “clear llb”
Note:
- The system provides two pre-defined roles: “SLB” and “NETWORK”. You can execute the “show role predefined” command to see the privilege rules of the two roles.
- Monitoring web UI requires the privilege for executing the “show” CLI commands. Please make sure the administrators who need to monitor a specific feature on web UI are assigned the role with the correspondent “show” privileges.
19.2.4 Configuration Examples
19.2.4.1 Creating System Administrator
- web UI:
Select Admin Tools > User Management > User Management, and click the Add Admin action link in the Administrators area. In the new configuration window, specify the required parameters in the Add Administrator Account area, and click the Save action link.
- CLI:
Execute the following command to add an administrator account and specify the access control level:
user <user_name> <password> [enable|config]
For example:
FortiBalancer(config)#user admin1 abcabc config
19.2.4.2 Configuring Role-based Privilege Management
- web UI:
- Select Admin Tools > User Management > Role Management. Enter the role name in the Role Name text box in the Role Configuration area, and click the Add action link.
- Select the Role Management tab, enter the rule string in the CLI filter text box and select the Permit or Deny radio button in the Role CLI Filter Configuration area, and click the Add action link.
- Select the Authorization tab, specify the Username and Role Name parameters, and click the Add action link to assign the role to the administrator.
- CLI:
- Execute the following command to add a role:
role name <role_name>
For example:
FortiBalancer(config)#role name role1
- Execute the following commands to configure the privilege rules for the role:
role deny <role_name> <filter_string> role permit <role_name> <filter_string>
For example:
FortiBalancer(config)#role deny role1 “clear config”
FortiBalancer(config)#role permit role1 “show run config”
- Execute the following command to assign the role to the administrator:
role user <user_name> <role_name>
For example:
FortiBalancer(config)#role user admin1 role1