Adding New vGW Series Administrator Definitions, Permissions, and Authentication Using the Settings Module

This topic includes the following sections:

Configuring an Administrator Account

Different categories of IT staff members may need to access the vGW Security Design VM interface for various purposes. For example, network engineers can take advantage of the network statistics charts and information on connections, top protocols used, top sources, and top destinations. Security engineers can use the Firewall module to design and apply policies for VMs and the Settings module’s vGW Application Settings > Installation page to deploy vGW Security VMs to ESX/ESXi hosts to secure them.

Table 17 defines the built-in user types that vGW Series provides to accommodate common roles and requirements, and it describes their privileges.

Table 17: vGW Series Built-In Administrator User Types

Global Admin

This administrator has the highest level of system privileges, including the ability to create accounts for additional administrators.

The global administrator has many privileges including the ability:

  • to create firewall policies and install firewalls (vGW Security VMs) on ESX/ESXi hosts to be secured.
  • configure features such AntiVirus, IDS, and VM Introspection Compliance for VMs.
  • select port groups and VMs for insertion in and removal from a secured network.

This administrator can also change his own password and reset the passwords of other administrators. Having the ability to reset the password for another administrator is useful when an administrator forgets his password. For details see Changing Administrator Passwords.

VM Admin

These administrators have many privileges, including the ability to:

  • modify policies and settings configurations.

    The administrator is allowed to change firewall security policies, including IDS.

  • configure AntiVirus and VM Introspection Compliance.
  • configure mirroring of inter-vm traffic, the ability to configure rules that specify external inspection devices.

Additionally, the global administrator can grant VM Admins “Install Firewall Policy” privilege. This privilege allows a VM Admin to distribute a policy after it has been changed and saved by any administrator who has the privilege to modify security policies.

Network Monitoring

These administrators can view:

  • all network-related pages, for example pages that show statistics and graphs.
  • all tabs of the Main module, including Status and Events and Alerts, and Logs.

These administrators are not allowed to modify any Settings pages, but they can view IDS Alerts, if IDS is configured, view AntiVirus scans, and they can view but not modify VM Introspection and Compliance results.

To create an administrator account:

  1. From Settings module vGW Application Settings > Administrators page, click Add.

    Figure 129 shows the Administrators page > Add Administrator pane that you use to define permissions for a new administrator and add the administrator to the system.

    This example configuration specifies that authentication is performed internally by vGW Series, not by Active Directory (AD), which could also be used. In this example, the VM Admin admin-security-example administrator is allowed to modify policy and settings and push firewall policies to vGW Security VMs.

    Figure 129: Creating a VM Admin Administrator Account

    Creating a VM Admin Administrator Account
  2. In the Authentication Type: area, select the button associated with the kind of authentication to be used for this administrator. You can use Active Directory (AD) as a means of authentication rather than storing the credentials locally. In this case, Active Directory must first be enabled through the Settings module > vGW Application Settings > Active Directory page. For details on AD authentication, see Setting Up Active Directory for vGW Series Administrator Authentication.
  3. In the Username: and Full Name: fields, enter the user names for the administrator.
  4. In the Type: area, select the button associated with the type of administrator account that you want to create. See Table 17.
  5. In the Permissions: area select the permissions that you want to grant to the administrator. Notice that for VM Admin you can select “Modify policy and settings” and “Install Firewall policy”, but if you select Network Monitoring you cannot select any of these permissions. See Table 17 for allowed permissions.
  6. Specify a password and confirm the password.
  7. Click Save.

    After you save the configuration, the administrator definition is added to the Administrators table, as shown in Figure 130.

    Figure 130: Adding a New Administrator

    Adding a New Administrator

Note: At any time, you can click the table row for an administrator definition to display the Edit Administrator pane that shows the configuration. From the Edit Administrator pane you can modify the permissions and password and save the modified definition.

Changing Administrator Passwords

Whether you are a global administrator (Global Admin), an administrator whose account is defined as a VM Admin, or and administrator with Network Monitoring permissions, you can use the Settings module vGW Application Settings > Administrators page to change your password.

This section includes the following sections that explain the simple process and requirements:

Global Administrator: Changing Your Own Password

As the global administrator (Global Admin), when you select your own row in the Administrators table, the Edit Administrator dialog box appears showing the configuration for your account. To change your own password, you must first enter your current password followed by the new one.

When you select the Change password check box, the Current Password: and New Password: boxes appear, allowing you to change your password. You must also enter the new password in the Confirm Password: box. After you enter the new password, click Save. Figure 131 shows this dialog box.

Figure 131: Changing the Global Administrator Password

 Changing the Global Administrator Password

Global Administrator: Changing the Password of Another Administrator

When you want to change the password of another administrator–such as an administrator whose account is defined as a VM Admin or for an administrator with Network Monitoring permissions–you are not required to enter that administrator’s current password. Not having to enter the current password for another administrator allows you to provide that administrator with a new password when they forget their current one.

As the global administrator, when you select the row for another administrator in the Administrators table, the Edit Administrator dialog box appears, showing the configuration for that administrator’s account.

As Figure 132 shows, when you select the Change password check box, the New Password: and Confirm Password: boxes appear, allowing you to change the password for the administrator whose account configuration is displayed. After you enter the new password, click Save.

Figure 132: Global Administrator Changing the Password of Another Administrator

Global Administrator Changing
the Password of Another Administrator

VM Administrator and Network Monitoring Administrator Accounts: Changing Your Own Password

After the global administrator (Global Admin) defines an administrator account for you, you can change the password that was specified during the configuration. In this case, the global administrator conveys the password to you. You can also change your password at any time after you change it initially.

When you select Administrators, the change password dialog box appears. To change your password, you must first enter your current password followed by the new one.

To change your password, enter your current password in the Current Password: box and your new password in the New Password: box. You must also enter the new password in the Confirm Password: box. Then click Save. See Figure 133

Figure 133: Administrators Changing Their Password

Administrators Changing Their Password

Related Documentation