The Administrators page lets you add and configure admins for the Cato Management Application (CMA) that manages your account.
There are different types of roles and permissions for CMA admins, for more information see Configuring Roles and Permissions for Admins (RBAC).
You can choose to configure these options for each admin account:
-
Password never expires
-
Admin roles and permissions
Admin Password Options
By default, admins are required to change their passwords for the CMA every 90 days and they receive email notifications 14 days and 3 days before the password expiration date. When you enable the Password never expires option for an admin, that admin is never required to change his password.
You can use the Password Expiration setting to configure how often admins are required to change their passwords for the CMA.
Admin MFA Options
Multi-Factor Authentication (MFA) is enabled by default for new admins to provide extra security for the CMA admin that uses the Cato username and password credentials. For more about using MFA, see Configuring Authentication Settings for Administrators.
To add an admin:
-
From the navigation menu, click Account > Administrators.
-
Click New.
The Create Administrator panel opens.
-
Enter these General settings for the admin:
-
First name and Last name
-
Email - Admins use this email address as the username when logging in to the CMA
-
Select an existing admin - For Cato resellers, you can add an admin that is already configured in the CMA
Select this option and choose the admin from the drop-down list with all the admins in the customer accounts
-
-
Select the permissions Role for this admin
-
-
(Optional) To exclude this admin from the password expiration policy, select Password never expires.
-
Click Apply. The admin is added to the Administrators page.
-
Click Save. The admin is saved to the CMA and an email invitation is sent to the admin with instructions for how to activate the account.
Note
IMPORTANT: Some policies support concurrent admins and policy revisions, for more information, see Working with Policy Revisions.
When multiple admins are logged in to the CMA at the same time (concurrently), occasionally there can be an issue if they try to configure the same setting at the same time. To manage these types of issues, the CMA shows a warning message when there is a possibility of saving a configuration which can overwrite changes that were recently made by a different admin.
This is an example of the warning message shown to concurrent admins.
-
Admin1 is editing the New York site at the same time as Admin2 is editing the same site.
-
Admin1 saves the changes to the site.
-
Admin2 tries to save changes to the site.
-
Admin2 sees a pop-up window, which states that saving the changes may overwrite the recently configured changes made by a different admin.
-
Admin2 can choose to overwrite and save these changes, or discard the changes.
If Admin2 discards the changes, the CMA refreshes and shows the configuration saved by Admin1 (in step 2).
Issues related to concurrent admins only occur when they are working on the same entity type. Otherwise, admins can make changes at the same. These are the entity types in the CMA:
-
Account settings (such as security and network settings)
-
Sites
-
SDP users
-
Groups
-
Admins
Example of Changes to Different Entity Types
Admin1 saves changes to the New York site, and then admin2 saves changes to an SDP user. The admins can successfully save the changes.
Example of Changes to the Same Entity Type
Admin1 saves changes to a firewall rule and then Admin2 saves changes to a network rule. Admin2 is shown the warning message about saving the changes or discarding them.
You can choose to restrict all administrators to log in only from specific IP addresses.
For accounts that use egress IP addresses (NATed IPs), you can allow admins to log in from these IP addresses.
For more information about login settings for admins, see Configuring Authentication Settings for Administrators.
To configure admin login restrictions:
-
From the navigation menu, select Account > Login Restrictions.
-
To only allow admins to log in to the CMA from specific IP addresses:
-
In the Login Restrictions for Cato Management Application section, in Allowed Login IPs, enter the IP address to allow.
-
Click the add icon.
The IP address is added to the Allowed Login IPs list.
-
To remove an allowed IP address, select the IP address and then click the delete icon.
-
-
(Optional) To allow admins to log in from a translated IP, select Also allow logins from the NATed IPs.
-
Click Save.
You can disable or enable admin accounts. For example, you can enable accounts that are disabled or locked.
After adding a new administrator to the Cato Management Application, an activation invitation e-mail is sent to the new administrator's email address. If the account has not yet been activated, or if there is a need to repeat the process for any reason, it is possible to resend the invitation.
You can manage the password settings for CMA admins. Configure the number of days that the admin password is valid for, and manually reset the password for an admin.
Use the Password Expiration setting in the Login Restrictions screen to define how long the CMA password is valid for, before the admin is required to change it. The password can be valid for 14 to 730 days.
This setting doesn't apply when the Password never expires option is enabled for an admin.
If an administrator is locked out of the account, use the Reset Passwords option to let them log in again.
To reset an administrator's password:
-
From the navigation menu, click Account > Administrators.
-
Select one or more administrators.
-
Click Actions and then from the drop-down menu, select Reset Password.
-
In the confirmation window, click OK.
The administrator receives an email with a link to change the password.
-
In the email, the admin can click the here link to go to the Change Password window.
If the admin receives this email, but did not initiate the request, click the It wasn't me link.
0 comments
Please sign in to leave a comment.