Delegating User Admin Priviledge but lock the admin account completely

  • Dear PF Experts

    I have one very deep concern about the user management delegation. I want to be able to delegate all the user management functions such as add user, delete user, and change other user password to another IT and one management guy who seems to want to conquer all the access to firewall and risking him to jeopardize the whole firewall settings.

    I need to be able to give them that exact access, but prevent them to do anything to the admin account and admin group. Kinda like in linux where you can create user and delegate all powers to do anything on user account except for one account (the root)?

    I tried PF and it seems to be able to grant power to add user, I have to give the power to change all password including admin. This is very dangerous as the user can change my admin password and lock me out of the system.

    I have to give this power because it is inside company politics. Please help me to find solutions to this. By the way, I uses the internal user authentication. Not using outside user authentication server like LDAP Server or RADIUS.

    Thank you