Prevent same admin user making configuration change from different places (Web & CLI) at same time

Reply
L1 Bithead

Prevent same admin user making configuration change from different places (Web & CLI) at same time

Hi,

 

I would like to know is there any way to prevent same admin user (say devAdmin) making configuration change from different places (Web & CLI) at same time?

 

Anthony Cheung

Tags (2)

Accepted Solutions
Highlighted
L7 Applicator

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

I understand the use case, thanks for that.

 

The simplest thing would be to create an Admin Role that blocks all Web UI sections and allows superuser for CLI. Then create an Administrator and assign the admin role you created to that administrator. 

 

That user would only have access to the CLI, though you may want to make it have access to XML API to take full advantage of it.

 

Your existing AdminA user would still have full access to CLI and UI, but because it's a different user name the config lock would work as provided by Otakar.Klier.

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

Hello,

Yes the feature is called a commit lock. Its under the Device -> Setup -> Management -> General Settings. Click the sprocket and then check the box for "Automatically Acquire Commit Lock".

 

So once someone makes a setting change it locks the config until that person releases, commits it, or someone else releases it (if you allow for that).

 

Regards,

Highlighted
L7 Applicator

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

Highlighted
L1 Bithead

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

Thanks for your reply. I have tried commit lock but it seems not work for my case.

 

My case is "same admin user using different methods at the same time". For example, I have an admin user which username is "adminA". I log in Web interface with "adminA" and at the same time "adminA" is logged in CLI. In this situation, if commit lock is acquired on CLI, I cannot acquire the lock in Web interface becuse "adminA" has acquired the lock. Nevertheless, "adminA" on Web interface can commit configuration changes even the changes are made in CLI.

 

Is there any way to resolve this situation?

Highlighted
L7 Applicator

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

Hmm, interesting. That may be a TAC case.

Highlighted
L7 Applicator

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

In this instance, a case would not get a resolution. A feature request is needed.

 

It's an odd use case: if the same user is making changes in CLI and different changes in the GUI, that user should know that because it's the same user. I don't understand why you would want to prevent a user from administering the firewall in such a way.

 

@anthony_cheung, is your use case something you can expand on here? Why is this a problem?

Highlighted
L1 Bithead

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

@gwesson, actually, I would like to use CLI and some shell script programming to do automatic password management task (e.g. periodic changing password). Nevertheless, I cannot find a way to block the actual admin user from logging in Web interface to do any other configuration jobs. That's why I raise the question.

Highlighted
L7 Applicator

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

I understand the use case, thanks for that.

 

The simplest thing would be to create an Admin Role that blocks all Web UI sections and allows superuser for CLI. Then create an Administrator and assign the admin role you created to that administrator. 

 

That user would only have access to the CLI, though you may want to make it have access to XML API to take full advantage of it.

 

Your existing AdminA user would still have full access to CLI and UI, but because it's a different user name the config lock would work as provided by Otakar.Klier.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!