Description:
You have the option to configure your LANCOM router with several administrators, each with different access rights and function rights.
This document describes how you can add additional administrators and it also explains the meaning and effect of the different access rights and function rights.


Requirements:


1) Procedure:
1.1) Open the configuration for the LANCOM router in LANconfig and switch to the menu item Management → Admin → Further administrators.
1.2) Create a new entry and enter a user name and password in the upper part of the dialog. 

You can use the button Generate password to select a password strength and then automatically generate a password corresponding to this strength. We recommend that you use the setting Maximum here. If you select User defined. you can influence the automatically generated password in the Settings pane, although for security reasons you should not change the default settings.

1.3) The rights for administrators are divided into two areas:
  • Access rights: Each administrator belongs to a certain group that has globally defined rights assigned to it.


NameRights description
AllSupervisor. Is a member of all groups and has full access to the configuration of the LANCOM router.
Restr. and traceLocal administrator with read/write rights.

Has full access to the configuration, although the following options are blocked:

· Upload firmware onto the device
· Upload configuration onto the device
· Configuration by LANconfig
LimitedLocal administrator with read and write access but without trace rights

Has full access to the configuration, although the following options are blocked:

· Upload firmware onto the device
· Upload configuration onto the device
· Configuration by LANconfig
· Trace output via the command line or LANmonitor
Read and traceLocal administrator with read access but no write access.
Can read the configuration from the command line, but cannot change any values.
Read onlyLocal administrator with read access but no write access and no trace rights.

Can read the configuration from the command line, but cannot change any values or request trace output.
NoneHas no access to the configuration.
  • Function rights: Each administrator can be given "function rights" that determine personal access to certain functions such as the Setup Wizards.

    The functional rights are different depending on the capabilities of the device (router, access point, software options, etc.).


NameRights description
Basic WizardSetup Wizard for the basic configuration of the device may be used.
Internet Connection WizardSetup Wizard for configuring the Internet connection may be used.
RAS Account WizardSetup Wizard for setting up a dial-in account
(RAS, VPN) may be used.
Rollout WizardSetup Wizard for setting up a roll-out configuration may be used. *
Content-Filter WizardSetup Wizard for setting up the Content Filter may be used.
Setting date and timeSetting the date and time (also applies for Telnet/SSH and TFTP
is allowed.
Search for other devices in the LANSearch for other devices in local and
remote networks may be performed. *
SSH clientEstablishing an SSH / Telnet connection from your
device to other LCOS devices or SSH / Telnet servers is allowed.
Security Settings WizardSetup Wizard used to check the security settings can be used.
LAN-LAN WizardSetup Wizard for connecting two local area networks
(VPN) may be used.
WLAN WizardSetup Wizard for setting up the WLAN may be used.
Dynamic DNS WizardSetup Wizard for configuring dynamic DNS may be used.
WLAN link testThe WLAN link test can be run * (also applies to
Telnet/SSH)
Public Spot Wizard
(Public Spot configuration)
Setup Wizard for configuring a Public Spot may be used.
Public Spot Wizard
(create account)
Setup Wizard for configuring a Public Spot users/accounts may be used *
Public Spot Wizard
(manage users)
Setup Wizard for managing Public Spot users/accounts may be used *
Public Spot XML interfaceAccess to the XML interface of the Public Spot module is allowed.

Note:
A 'normal' Public Spot administrator does not require this right. This right is intended for the implementation of complex authentication scenarios, such as when an external gateway
(e.g. a machine or a program such as a Web server, script, etc.) needs to
communicate with the module.
SMS-TransmitSending SMS text messages via the 3G/4G WWAN module in the device is allowed.
WLC Profile WizardSetup Wizard for setting up a WLC profile may be used.
VoIP Provider WizardWizard for setting up access to your
VoIP (All-IP) provider may be used.
*) The permissions for and/or the execution of these Wizards or features relates exclusively to WEBconfig—unless otherwise stated. The Wizard or feature is either only available there (e.g. setting up and managing Public Spot users) or can only be restricted there (e.g. searching for devices)


2) Configuration examples:
2.1) Permission to read out passwords:
  • To do this, at least read-only must be set as an access right. The administrator can read the configuration settings for a device in the LANconfig/WEBconfig interface and also via the command line. It is not possible to change the configuration or generate trace output.
2.2) Permission to read out the status tree:
  • To do this, read-only must be set as an access right. The administrator can read the status tree for a device in the WEBconfig interface and also via the command line. It is not possible to add, change, or delete any values.
2.3) Permission to use show commands:
  • To do this, at least read-only must be set as an access right. The only show command that can be run exclusively by users with all access rights is the show script command.
2.4) Permission to use an SSH client:
  • The permission for command-line access to the LANCOM router via SSH client must be set globally in the menu item Management → Admin → Access rights → From the local network / From remote networks.

2.5) Permission to create a TCP/HTTP tunnel:
  • To create a TCP/HTTP-tunnel, you must have the access right all.