Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1799
Views
0
Helpful
1
Replies

IronPort C170: Read-Only Operator cannot run displayalerts command

Go to solution
marcel.balan
Level 1
Level 1

‎02-20-2018 11:39 AM - edited ‎03-08-2019 07:33 PM

Hi,

 

Anyone knows why a user that is member of Read-Only Operator role cannon run "displayalerts" command in cli? The error is "You are not in the correct access group to use the displayalerts command"

 

It does work if the user is assigned Operator role. 

 

Thank you,

Marcel

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-20-2018 06:41 PM

Hello Marcel,

Operator role itself has almost the same privileges as the administrator (which includes displayalerts) with the caveats:
restricted from:

Creating or editing user accounts.
Issuing the resetconfig command.
Upgrading the appliance.
Issuing the systemsetup command or running the System Setup Wizard.
Issuing the adminaccessconfig command.
Performing some quarantine functions (including creating, editing, deleting, and centralizing quarantines).
Modifying LDAP server profile settings other than username and passphrase, if LDAP is enabled for external authentication.

Whereas the Read-Only operator is a restricted role with only:
Access to view configuration information. Users with the Read-Only Operator role can make and submit changes to see how to configure a feature, but they cannot commit them. Users with this role can manage messages in quarantines, if access is enabled in a quarantine.

Users with this role cannot access the following:
File system, FTP, or SCP.
Settings for creating, editing, deleting, or centralizing quarantines.

Everything else not available is restricted (including displayalerts).

Regards,
Matthew

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-20-2018 06:41 PM

Hello Marcel,

Operator role itself has almost the same privileges as the administrator (which includes displayalerts) with the caveats:
restricted from:

Creating or editing user accounts.
Issuing the resetconfig command.
Upgrading the appliance.
Issuing the systemsetup command or running the System Setup Wizard.
Issuing the adminaccessconfig command.
Performing some quarantine functions (including creating, editing, deleting, and centralizing quarantines).
Modifying LDAP server profile settings other than username and passphrase, if LDAP is enabled for external authentication.

Whereas the Read-Only operator is a restricted role with only:
Access to view configuration information. Users with the Read-Only Operator role can make and submit changes to see how to configure a feature, but they cannot commit them. Users with this role can manage messages in quarantines, if access is enabled in a quarantine.

Users with this role cannot access the following:
File system, FTP, or SCP.
Settings for creating, editing, deleting, or centralizing quarantines.

Everything else not available is restricted (including displayalerts).

Regards,
Matthew
0 Helpful
Customers Also Viewed These Support Documents