IronPort - daily management guide - AsyncOS 7.6.1
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Managing Custom User Roles for Delegated Administration<br />
8-26<br />
Step 8 Select whether to use PAP or CHAP for RADIUS authentication.<br />
Cisco <strong>IronPort</strong> <strong>AsyncOS</strong> 7.6 for Email Daily Management Guide<br />
Chapter 8 Common Administrative Tasks<br />
Step 9 Optionally, click Add Row to add another RADIUS server. Repeat steps 6 and 7 for each RADIUS server<br />
that your appliance uses for authentication.<br />
Step 10 Enter the amount of time to store external authentication credentials in the web user interface.<br />
Step 11 Select whether to map a group of RADIUS users to a Cisco <strong>IronPort</strong> role, or grant all RADIUS users the<br />
Administrator role. It is recommended that you map RADIUS groups to Cisco <strong>IronPort</strong> roles.<br />
Step 12 If you chose to map a RADIUS group to a Cisco <strong>IronPort</strong> role, enter the RADIUS CLASS attribute for<br />
the group and select the role for users with that CLASS attribute.<br />
Step 13 Optionally, click Add Row to add another group. Repeat steps 11 and 12 for each group of users that the<br />
appliance authenticates.<br />
Step 14 Submit and commit your changes.<br />
Managing Custom User Roles for Delegated Administration<br />
You can design custom user roles and delegate specific responsibilities to users that align with their roles<br />
within your organization, allowing these delegated administrators access only to the email security<br />
features they are responsible for and not the system configuration features that are not related to their<br />
roles. Delegated administration provides more flexible control over your users’ access to the email<br />
security features on the appliance than the predefined administrator, operator, and help desk user roles.<br />
For example, you may have users who are responsible for managing mail policies for specific domains<br />
on the Email Security appliance, but you do not want these users to access the system administration and<br />
security services configuration features, which the predefined administrator and operator roles grant.<br />
You can create a custom user role for mail policy administrators who can grant these users access to the<br />
mail policies they manage, along with other email security features that they can use to manage messages<br />
processed by these policies, such as Message Tracking and policy quarantines.<br />
Use the System Administration > User Roles page in the GUI (or the userconfig -> role command in<br />
the CLI) to define custom user roles and manage the email security features for which they are<br />
responsible, such as mail policies, RSA Email DLP policies, email reports, and quarantines. For a full<br />
list of email security features that delegated administrators can manage, see Assigning Access<br />
Privileges, page 8-28. Custom roles can also be created when adding or editing a local user account using<br />
the System Administration > Users page. See Defining a Custom User Role When Adding a User<br />
Account, page 8-33 for more information.<br />
You should make sure when creating a custom user role so that its responsibilities don’t overlap too much<br />
with the responsibilities of other delegated administrators. If multiple delegated administrators are<br />
responsible for the same content filter, for example, and use the content filter in different mail policies,<br />
the changes made to the filter by one delegated administrator may cause unintended side effects for the<br />
mail policies managed by other delegated administrators.<br />
When you have created the custom user roles, you can assign local users and external authentication<br />
groups to them like any other user role. See Working with User Accounts, page 8-12 for more<br />
information. Please note that users assigned to custom roles cannot access the CLI.<br />
Figure 8-19 displays a list of custom user roles defined for an Email Security appliance, including the<br />
access privileges assigned to the roles.<br />
OL-25138-01