10-30-2017 09:25 AM
I understand the use case, thanks for that.
The simplest thing would be to create an Admin Role that blocks all Web UI sections and allows superuser for CLI. Then create an Administrator and assign the admin role you created to that administrator.
That user would only have access to the CLI, though you may want to make it have access to XML API to take full advantage of it.
Your existing AdminA user would still have full access to CLI and UI, but because it's a different user name the config lock would work as provided by Otakar.Klier.
10-25-2017 02:57 PM
Hello,
Yes the feature is called a commit lock. Its under the Device -> Setup -> Management -> General Settings. Click the sprocket and then check the box for "Automatically Acquire Commit Lock".
So once someone makes a setting change it locks the config until that person releases, commits it, or someone else releases it (if you allow for that).
Regards,
10-25-2017 07:29 PM
Thanks for your reply. I have tried commit lock but it seems not work for my case.
My case is "same admin user using different methods at the same time". For example, I have an admin user which username is "adminA". I log in Web interface with "adminA" and at the same time "adminA" is logged in CLI. In this situation, if commit lock is acquired on CLI, I cannot acquire the lock in Web interface becuse "adminA" has acquired the lock. Nevertheless, "adminA" on Web interface can commit configuration changes even the changes are made in CLI.
Is there any way to resolve this situation?
10-26-2017 03:12 PM
Hmm, interesting. That may be a TAC case.
10-26-2017 03:19 PM
In this instance, a case would not get a resolution. A feature request is needed.
It's an odd use case: if the same user is making changes in CLI and different changes in the GUI, that user should know that because it's the same user. I don't understand why you would want to prevent a user from administering the firewall in such a way.
@anthony_cheung, is your use case something you can expand on here? Why is this a problem?
10-29-2017 06:18 PM
@gwesson, actually, I would like to use CLI and some shell script programming to do automatic password management task (e.g. periodic changing password). Nevertheless, I cannot find a way to block the actual admin user from logging in Web interface to do any other configuration jobs. That's why I raise the question.
10-30-2017 09:25 AM
I understand the use case, thanks for that.
The simplest thing would be to create an Admin Role that blocks all Web UI sections and allows superuser for CLI. Then create an Administrator and assign the admin role you created to that administrator.
That user would only have access to the CLI, though you may want to make it have access to XML API to take full advantage of it.
Your existing AdminA user would still have full access to CLI and UI, but because it's a different user name the config lock would work as provided by Otakar.Klier.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
