We talked about Identity-based User Accounts for web-based management in Identity based user accounts in PTP 650/700 and highlighted the three user roles: Security Officer, System Administrator, and Read Only.
The Security Officer role provides access to all of web-based interface. The System Administrator role provides access to all of the web-based interface except for the pages concerned with system security. Further details are included below. The Read Only role provides access to the same pages as System Administrator role, but does not allow attributes to be changed.
The pages that are hidden from a user with the System Administrator or Read Only role are:
- Local User Accounts page: Allows a Security Officer user to create local user accounts, lock accounts, set passwords, configure minimum password complexity, and force password change on the next login
- RADIUS page: Allows a Security Officer to configure RADIUS for remotely-authenticated users,
- SNMP page: Allows a Security Officer to configure SNMP, including SNMPv3 security
- Syslog Configuration page: Allows a Security Officer to configure the syslog client
- Security Wizard: Allows a Security Officer to configure AES encryption and HTTPS.
In addition, only a user with the Security Officer role can configure AES encryption on the System Configuration page.
In some smaller networks it probably makes sense to create all users accounts with the Security Officer role, but in a larger organisation you should consider providing a user role to individuals based on their needs and responsibilities.