IronPort - daily management guide - AsyncOS 7.6.1

Managing Custom User Roles for Delegated Administration
8-26
Step 8 Select whether to use PAP or CHAP for RADIUS authentication.
Cisco IronPort AsyncOS 7.6 for Email Daily Management Guide
Chapter 8 Common Administrative Tasks
Step 9 Optionally, click Add Row to add another RADIUS server. Repeat steps 6 and 7 for each RADIUS server
that your appliance uses for authentication.
Step 10 Enter the amount of time to store external authentication credentials in the web user interface.
Step 11 Select whether to map a group of RADIUS users to a Cisco IronPort role, or grant all RADIUS users the
Administrator role. It is recommended that you map RADIUS groups to Cisco IronPort roles.
Step 12 If you chose to map a RADIUS group to a Cisco IronPort role, enter the RADIUS CLASS attribute for
the group and select the role for users with that CLASS attribute.
Step 13 Optionally, click Add Row to add another group. Repeat steps 11 and 12 for each group of users that the
appliance authenticates.
Step 14 Submit and commit your changes.
Managing Custom User Roles for Delegated Administration
You can design custom user roles and delegate specific responsibilities to users that align with their roles
within your organization, allowing these delegated administrators access only to the email security
features they are responsible for and not the system configuration features that are not related to their
roles. Delegated administration provides more flexible control over your users’ access to the email
security features on the appliance than the predefined administrator, operator, and help desk user roles.
For example, you may have users who are responsible for managing mail policies for specific domains
on the Email Security appliance, but you do not want these users to access the system administration and
security services configuration features, which the predefined administrator and operator roles grant.
You can create a custom user role for mail policy administrators who can grant these users access to the
mail policies they manage, along with other email security features that they can use to manage messages
processed by these policies, such as Message Tracking and policy quarantines.
Use the System Administration > User Roles page in the GUI (or the userconfig -> role command in
the CLI) to define custom user roles and manage the email security features for which they are
responsible, such as mail policies, RSA Email DLP policies, email reports, and quarantines. For a full
list of email security features that delegated administrators can manage, see Assigning Access
Privileges, page 8-28. Custom roles can also be created when adding or editing a local user account using
the System Administration > Users page. See Defining a Custom User Role When Adding a User
Account, page 8-33 for more information.
You should make sure when creating a custom user role so that its responsibilities don’t overlap too much
with the responsibilities of other delegated administrators. If multiple delegated administrators are
responsible for the same content filter, for example, and use the content filter in different mail policies,
the changes made to the filter by one delegated administrator may cause unintended side effects for the
mail policies managed by other delegated administrators.
When you have created the custom user roles, you can assign local users and external authentication
groups to them like any other user role. See Working with User Accounts, page 8-12 for more
information. Please note that users assigned to custom roles cannot access the CLI.
Figure 8-19 displays a list of custom user roles defined for an Email Security appliance, including the
access privileges assigned to the roles.
OL-25138-01