Managing Administrators

The Administrators page lets you add and configure admins for the Cato Management Application (CMA) that manages your account.

Adding an Admin

There are different types of roles and permissions for CMA admins, for more information see Configuring Roles and Permissions for Admins (RBAC).

You can choose to configure these options for each admin account:

  • Password never expires

  • Admin roles and permissions

AddAdmin.png

Admin Password Options

By default, admins are required to change their passwords for the CMA every 90 days and they receive email notifications 14 days and 3 days before the password expiration date. When you enable the Password never expires option for an admin, that admin is never required to change his password.

You can use the Password Expiration setting to configure how often admins are required to change their passwords for the CMA.

Admin MFA Options

Multi-Factor Authentication (MFA) is enabled by default for new admins to provide extra security for the CMA admin that uses the Cato username and password credentials. For more about using MFA, see Configuring Authentication Settings for Administrators.

To add an admin:

  1. From the navigation menu, click Account > Administrators.

  2. Click New.

    The Create Administrator panel opens.

  3. Enter these General settings for the admin:

    • First name and Last name

    • Email - Admins use this email address as the username when logging in to the CMA

      • Select an existing admin - For Cato resellers, you can add an admin that is already configured in the CMA

        Select this option and choose the admin from the drop-down list with all the admins in the customer accounts

    • Select the permissions Role for this admin

  4. (Optional) To exclude this admin from the password expiration policy, select Password never expires.

  5. Click Apply. The admin is added to the Administrators page.

  6. Click Save. The admin is saved to the CMA and an email invitation is sent to the admin with instructions for how to activate the account.

Understanding Concurrent Admins

Note

IMPORTANT: Some policies support concurrent admins and policy revisions, for more information, see Working with Policy Revisions.

When multiple admins are logged in to the CMA at the same time (concurrently), occasionally there can be an issue if they try to configure the same setting at the same time. To manage these types of issues, the CMA shows a warning message when there is a possibility of saving a configuration which can overwrite changes that were recently made by a different admin.

This is an example of the warning message shown to concurrent admins.

  1. Admin1 is editing the New York site at the same time as Admin2 is editing the same site.

  2. Admin1 saves the changes to the site.

  3. Admin2 tries to save changes to the site.

  4. Admin2 sees a pop-up window, which states that saving the changes may overwrite the recently configured changes made by a different admin.

  5. Admin2 can choose to overwrite and save these changes, or discard the changes.

    If Admin2 discards the changes, the CMA refreshes and shows the configuration saved by Admin1 (in step 2).

Configuring the Same Entity Types in the CMA

Issues related to concurrent admins only occur when they are working on the same entity type. Otherwise, admins can make changes at the same. These are the entity types in the CMA:

  • Account settings (such as security and network settings)

  • Sites

  • SDP users

  • Groups

  • Admins

Example of Changes to Different Entity Types

Admin1 saves changes to the New York site, and then admin2 saves changes to an SDP user. The admins can successfully save the changes.

Example of Changes to the Same Entity Type

Admin1 saves changes to a firewall rule and then Admin2 saves changes to a network rule. Admin2 is shown the warning message about saving the changes or discarding them.

Setting Login Restrictions for Administrators

You can choose to restrict all administrators to log in only from specific IP addresses.

For accounts that use egress IP addresses (NATed IPs), you can allow admins to log in from these IP addresses.

For more information about login settings for admins, see Configuring Authentication Settings for Administrators.

loginrestrictions.png

To configure admin login restrictions:

  1. From the navigation menu, select Account > Login Restrictions.

  2. To only allow admins to log in to the CMA from specific IP addresses:

    1. In the Login Restrictions for Cato Management Application section, in Allowed Login IPs, enter the IP address to allow.

    2. Click the add icon.

      The IP address is added to the Allowed Login IPs list.

    3. To remove an allowed IP address, select the IP address and then click the delete icon.

  3. (Optional) To allow admins to log in from a translated IP, select Also allow logins from the NATed IPs.

  4. Click Save.

Disabling and Enabling Administrators

You can disable or enable admin accounts. For example, you can enable accounts that are disabled or locked.

To disable or enable an admin account:

  1. From the navigation menu, click Account > Administrators.

  2. Select one or more administrators.

  3. Click Actions and then from the drop-down menu, select Enable or Disable.

  4. In the confirmation window, click OK.

    The admins are enabled or disabled.

Resending Invitations to Administrators

After adding a new administrator to the Cato Management Application, an activation invitation e-mail is sent to the new administrator's email address. If the account has not yet been activated, or if there is a need to repeat the process for any reason, it is possible to resend the invitation.

To resend an invitation:

  1. From the navigation menu, click Account > Administrators.

  2. Select one or more administrators.

  3. Click Actions and then from the drop-down menu, select Resend Invitations.

  4. In the confirmation window, click OK. The invitation is resent.

Managing Administrator Passwords

You can manage the password settings for CMA admins. Configure the number of days that the admin password is valid for, and manually reset the password for an admin.

Setting the Administrator Password Expiration

Use the Password Expiration setting in the Login Restrictions screen to define how long the CMA password is valid for, before the admin is required to change it. The password can be valid for 14 to 730 days.

This setting doesn't apply when the Password never expires option is enabled for an admin.

To set the password expiration for an admin:

  1. From the navigation menu, select Account > Login Restrictions.

  2. In the Password Expiration section, enter how many days the password is valid for.

  3. Click Save.

Resetting the Administrator Password

If an administrator is locked out of the account, use the Reset Passwords option to let them log in again.

To reset an administrator's password:

  1. From the navigation menu, click Account > Administrators.

  2. Select one or more administrators.

  3. Click Actions and then from the drop-down menu, select Reset Password.

  4. In the confirmation window, click OK.

    The administrator receives an email with a link to change the password.

  5. In the email, the admin can click the here link to go to the Change Password window.

    If the admin receives this email, but did not initiate the request, click the It wasn't me link.

Deleting Administrators

To delete an admin account from the CMA:

  1. From the navigation menu, click Account > Administrators.

  2. Select one or more administrators.

  3. Click Actions, and then from the drop-down menu, select Delete Admin.

  4. In the confirmation window, click Delete.

    The selected admins are removed from the CMA.

Was this article helpful?

1 out of 1 found this helpful

0 comments