Product Documentation

Configuring Delegated Administrators

May 28, 2013

NetScaler Gateway has a default administrator user name and password. The default user name and password is nsroot. When you run the Setup Wizard for the first time, you can change the administrator password.

You can create additional administrator accounts and assign each account with different levels of access to NetScaler Gateway. These additional accounts are called delegated administrators. For example, you have one person who is assigned to monitor NetScaler Gateway connections and logs and another person who is responsible for configuring specific settings on NetScaler Gateway. The first administrator has read-only access and the second administrator has limited access to the appliance.

To configure a delegated administrator, you use command policies and system users and groups.

When you are configuring a delegated administrator, the configuration process is:

  • Add a system user. A system user is an administrator with specified privileges. All administrators inherit the policies of the groups to which they belong.
  • Add a system group. A system group contains systems users with specific privileges. Members of the system group inherit the policies of the group or groups to which they belong.
  • Create a command policy. Command policies allow you to define what parts of the NetScaler Gateway configuration a user or group is allowed to access and modify. You can also regulate which commands, such as command groups, virtual servers, and other elements administrators and groups are permitted to configure.
  • Bind the command policy to the user or group by setting the priority. When configuring delegated administration, assign priorities to the administrator or group so NetScaler Gateway can determine which policy takes precedence.

NetScaler Gateway has a default deny system command policy. Command policies cannot be bound globally. You must bind the policies directly to system administrators (users) or groups. If users and groups do not have an associated command policy, the default deny policy is applied and users cannot execute any commands or configure NetScaler Gateway.

You can configure custom command policies to define a greater level of detail for user rights assignments. For example, you can give one person the ability to add session policies to NetScaler Gateway, but not allow the user to perform any other configuration.