03-28-2018 07:48 AM
Is it possible to disable a user (local account)? I don't see this option in the web gui, but thought it might be something that can be done using the cli. I need to be able to allow access for specific reasons at specific times and disable access when not needed. Changing the user's password each time is the only other option I can think of so far.
03-28-2018 09:26 AM - edited 03-28-2018 09:27 AM
Sounds like you are looking for schedules?
You can setup a security policy that allows access and add a schedule to it so it is disabled (or enabled) at certain times. that way the policy is for that user/group of useres and will only allow or disallow the access during a certain window that you have defined.
Hope this helps!
03-29-2018 08:00 AM
I think scheduling might help, but it's not really what I'm after. I need to be able to enable/disable a local user account to allow/deny login to the firewall to perform administration tasks.
03-29-2018 08:14 AM
To be clear, you want an administrator account that is disabled until it is needed for a particular task? Another administrator (or api call, etc) would enable that account to allow the task to be completed then disable it when done?
I do not know of a settign to disable an account, but you may be able to create an Admin Role that does not allow any access, and assign that to "disable" the account as needed.
03-29-2018 08:34 AM
I think I have a solution. I created a bogus auth_profile with the domain set to a non-existant name and the allow list populated with only a non-matching bogus user. This seems to work.
03-29-2018 08:46 AM
Hi @mike406
Just keep this in mind: if you change something for an account that is already logged in - even if you delete the local account - this will not terminate the existing session. It only prevents new sessions.
05-25-2023 07:28 AM
This is no longer the case. If you make a change to a local admin while they are logged in, they are forced to reauthenticate.
05-25-2023 01:42 PM - edited 05-25-2023 01:43 PM
Hi Mike,
Then you can enable and disable at will.
Thanks,
Tom
05-25-2023 01:49 PM
Doesn't that force the user to use credentials stored in the DB rather than certificates?
05-25-2023 02:23 PM
Hi @Jason_Lieberman ,
I don't see anywhere where @mike406 talked about certificates. He mentioned local passwords.
Thanks,
Tom
05-25-2023 02:57 PM
I wasn't trying to debate you. I was just trying to get clarification.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
