Table of Contents
You will have created your first user as part of the initial setup of your FB6000, as detailed in either the QuickStart Guide or in Chapter 2 in this manual.
To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under the "Config" main-menu item, then click on the "Users" category icon. Click on the "Edit" link adjacent to the user you wish to edit, or click on the "Add" link to add a user.
To delete a user, click the appropriate "Edit" link, then click the "Erase" button in the navigation controls - see Figure 3.8. As with any such object erase operation, the object will not actually be erased until the configuration is saved.
Once you have added a new user, or are editing an existing user, the object editing page will appear, as shown in Figure 4.1 :-
The minimum attributes that must be specified are name
, which is the username that you type in when logging in, and
password
- passwords are mandatory on the FB6000.
You can optionally provide a full name for the specified username, and a general comment field value.
A user's login level is set with the level
attribute, and determines what CLI commands the user can run.
The default, if the level
attribute is not specified, is ADMIN
- you may wish to downgrade the level for
users who are not classed as 'system administrators'.
Table 4.1. User login levels
Level | Description |
NOBODY | Unknown or not logged in user |
GUEST | Guest user |
USER | Normal unprivileged user |
ADMIN | System administrator |
DEBUG | System debugging user |
The configuration access level determines whether a user has read-only or read-write access to the configuration,
as shown in Table 4.2 below. This mechanism can also be used to deny all access to the configuration using the
none
level, without actually deleting the user definition.
This setting is distinct from, and not connected with, the login level described above. You can use the access level to
define, for example, whether a USER login-level user can modify the configuration. Typically an ADMIN (or DEBUG) login-level user would always be granted
full access, so for ADMIN or DEBUG level user's, the default of full
is suitable.
Table 4.2. Configuration access levels
Level | Description |
none | No access unless explicitly listed |
view | View only access (no passwords) |
read | Read only access (with passwords) |
full | Full view and edit access - DEFAULT |
To improve security, login sessions to either the web user interface, or to the command-line interface (via telnet, see Chapter 17),
will time-out after a period of inactivity. This idle time-out defaults to 5 minutes, and can be changed by setting the timeout
attribute
value.
The time-out value is specified using the syntax for the XML fb:duratin data type. The syntax is hours, minutes and seconds, or minutes and seconds or just seconds. E.g. 5:00
.
To set a user's time-out in the user interface, tick the checkbox next to
timeout
, and enter a value in the format described above.
Setting a timeout to 0 means unlimited and shoudl obviously be used with care.
You can restrict logins by a given user to be allowed only from specific IP addresses, using the allow
attribute.
This restriction is per-user, and is distinct from, and applies in addition to, any restrictions specified on either the web or telnet (for command
line interface access) services (see Section 12.2 and Section 12.3), or any firewall rules that affect web or
telnet access to the FB6000 itself.
By specifying a profile name using the profile
attribute, you can allow logins by the user only when the
profile is in the Active state (see Chapter 8). You can use this to, for example, restrict logins to be allowed only during
certain times of the day, or you can effectively suspend a user account by specifying an always-Inactive profile.