Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Subordinate Admin rights without ability to change password of chief Admin

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 473 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hi, I'm new to the forum.

      Is there a way to assign Admin rights to a secondary pfSense account, but not allow rights for changing the password of the primary pfSense admin account? Seems a simple functionality, but I can't find a way to set it up this way in the pfSense control panel.

      Much Thanks,

      Mookie

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        No. If someone has access to edit users, they can edit any user.

        There are several pages that, if a user can access them, they could do whatever they want. Like they could restore a backup file with a different admin password, or change it by editing the config file directly.

        You'd have to add privileges carefully such that the user can't reach any page that could let them effectively have full access.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Thanks Jimp.

          Is there a way to provide a user with all rights, except the ability to edit users? I don't know if that would still classify as "Admin", but that's what I'm trying to do.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Not effectively, because of the reasons I mentioned.

            If they have access to restore a backup, they could restore a file with an altered admin password. If they can execute shell commands, they could change the config, etc.

            If you are looking to make the passwords immutable, use an external auth setup they have no rights to (LDAP, RADIUS, etc) and then they can't change passwords except for local users. They could still change the local admin, but not the one from LDAP/RADIUS.

            May not get you what you want, still, but closer perhaps.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              Thanks for the feedback Jimp.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.