Administrative Accounts

This account is not the same as a Windows NT user account, although the username and password can overlap for both accounts. Every person who intends to administer Cisco Secure Policy Manager either from a primary or secondary server should have a separate administrative account.

This account may be used to view scheduled and on-demand reports from a web browser. However, if you upgrade privileges assigned to this account to read-only access or full access, you should also change the password to avoid possible security breaches.

Warning All administrative account information, especially passwords, should be guarded carefully, especially that for full access administrative accounts.

An administrative account for the GUI client is not the same as a Windows NT user account. A person who has Windows NT administrator privileges with his or her user account does not necessarily have access to administer a Primary Policy Database unless that person also has an administrative account for the GUI client. When you install Cisco Secure Policy Manager, the setup program creates a default administrative account based upon the Windows NT user account that you used to log on to the workstation.

Note Immediately after installation, you should delete or disable the default account. By doing so, you eliminate the possibility of someone obtaining your Windows NT account information and logging on to the GUI client and making changes to security policies and configuration settings, thus compromising network security.

We recommend that you create a new account for each additional person who intends to administer your network security devices, because sharing accounts among users makes accountability more difficult. The GUI client has no limits for the number of administrative accounts that you can create.

Note You cannot delete the last remaining administrative account or the one currently in use. If you attempt to do so, the GUI client displays a message box informing you of this fact.

Note At least one administrative account must have full access privileges. If you attempt to change privileges for the last remaining full access account, the GUI client displays a message box informing you that no administrative account has full access privileges. If you do change privileges for the last remaining full access account to read-only access or report viewing, the GUI client will not allow you to save and exit, even with Consistency Check disabled.

Result: A new administrative account node appears under the Administrative Accounts tree in the Navigator pane, and the General panel for the new account appears in the View pane.

Tips If the General panel for the new account does not appear in the View pane, right-click the new account node, and then click Properties on the shortcut menu.

Step 2 To name the administrative account, type the name in the Username box in the General panel.

This name becomes the default username for the administrative account. The GUI client enables long usernames and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).

Step 3 To designate the user's full name, type it in the Full Name box.

The GUI client enables long full names and the use of all alphanumeric or symbol characters. Also, you can use uppercase and lowercase characters. While this field does not affect operation of the Primary Policy Database, it provides all administrators with a means of keeping track of who uses which account.

Step 4 To specify a privilege level, select one from the Privileges list.

Three administrative privileges are available:

• Full Access.

• Read-Only Access.

• Report Viewing Only.

Result: The General panel appears in the View pane.

Step 2 Select the Change Password check box under Password.

Result: A check mark appears in the Change Password check box and the New password and Confirm password boxes become available.

Step 3 To provide a new password, type it into the New password box.

The GUI client enables long passwords and the use of all alphanumeric and symbol characters. Also, you can use both uppercase and lowercase characters.

Step 4 To confirm the new password, retype it into the Confirm password box.

If you receive an error message, retype the password into the Confirm password box again. If an error message persists, check the CAPS LOCK key on your keyboard.

Step 5 To accept your changes and close the selected panel, click OK.

Step 6 To save any changes that you have made, click Save on the File menu.

Caution Although administrative privileges can be changed, you should do it with caution. If read-only access and report viewing only accounts were used to view reports from a web browser, it is possible that the username and password were hijacked. In this event, upgrading these accounts to full access privileges can compromise the security of your system.

Note At least one administrative account must have full access privileges. If you attempt to change privileges for the last remaining full access account, the GUI client displays a message box informing you that no administrative account has full access privileges. If you do change privileges for the last remaining full access account to read-only access or report viewing, the GUI client will not allow you to save and exit, even with Consistency Check disabled.

To change privileges for an existing administrative account, perform the following task:

Result: The General panel appears in the View pane.

Step 2 To change privileges for an existing account, select one from the Privileges list.

Three administrative privileges are available:

• Full Access.

• Read-Only Access.

• Report Viewing Only.