Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
3
Replies

ACS Administration restrictions not 100%

tahequivoice
Level 2
Level 2

‎07-30-2008 07:25 AM - edited ‎03-10-2019 04:00 PM

I am attempting to setup individual admin accounts for customers to admin their VPN users, and ran into an interesting loophole. Under each user there is the Advanced settings where the NAR's are, and that user can access the other customers NAR's and gain VPN access to their devices. How can I restrict those users to only add/remove users under his group without showing the rest of the permissions?

Labels:
0 Helpful
3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

‎07-30-2008 09:50 AM

I don't think so that is possible. Those admin users will be able to view all configuration for that user.

Read access to users in these groups.

Enables read-only access to users in the Editable groups.

When the Add/Edit users in these groups option is enabled, it overrides the settings in the Read access to users in these groups option.

If the Add/Edit users in these groups option is checked (enabled), it does not matter if this setting is enabled or disabled. The Add/Edit users in these groups setting overrides this setting, and the administrator can edit all users in the Editable groups.

If the Add/Edit users in these groups option is unchecked (disabled):

* Check this check box to grant the administrator read access to the users in the Editable groups. In this case, the administrator cannot submit changes.

* When unchecked, administrators cannot view users.

This has to be feature request.

Regards,

~JG

Do rate helpful posts

0 Helpful

tahequivoice
Level 2
Level 2
In response to Jagdeep Gambhir

‎07-30-2008 10:40 AM

I think I know where you are going, but the admin user doesn't have access to users in the other groups, just in the group assigned, the problem I see is that under a user account, the other groups show up, and he can add a user to that group, and then that user would be able to log into the other groups VPN servers.

Where would I send in a feature request for this? I am a bit surprised it hasn't come up before. The ACS I am finding very useful for customer VPN's who don't have their own RADUIS server, and where we admin their firewall.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to tahequivoice

‎07-31-2008 02:23 PM

No, if you allow admin user to add/edit user to two group then only those two groups would show up in the user set up.

And that admin user will not be able to open group setup page.

See attachment

Preview file
124 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents