We help IT Professionals succeed at work.

Juniper ISG1000


the problem might seem easy but it's not to me:

I'm trying to administrate ISG1000 (NSMXpress) through the NSM only.

I have created some users:
Configure -> Object Manager -> UserObjects
and here I have created Admin and Superuser groups and then I have put two individual users into Superuser group

In Configure -> DeviceManager -> Devices
I have my ISG1000

My question is: how to assign access rights/priviledges to my users created in Superuser group (and differentiate them from future members of Admin group with higher rights), please?

Thank you in advance.

Kind regards,
Watch Question

Top Expert 2007



Hello, thx for the answer but I'm not sure it fits, namely:
on ISG1000 I do not have the "path" that is referenced in the solution link. What I do have is what can be seen on the ISG1000-img1
ISG1000-img1and in this way I know I can assign admin role e.g.
My problem is how to assign any access rights to the users made through Configure->ObjectManager-> UserObjects.
As can be seen on ISG1000-img2
ISG1000-img2I have made 2 groups and then I have made two users in one of the groups (Superuser).
Now, I don't know how to apply/give/assign any access right/privilege to those two users - to be differentiated (as super-users) from potential users with admin rights in other (Admin) group.

Is this the way to do such a thing at all? Or do I have missed the path/way of doing it completely?

It certainly can not be done in a way of a kind of a right-click on a user and then do something because nothing about access can be done there - see please the ISG1000-img3
ISG1000-img3What about the AccessProfiles - pls. see ISG1000-img4
ISG1000-img4and the relation with users in UserObjects?

Kind regards,
Hi Darko,

If you're configuring the ISG from NSM only, you don't need to set up any local users...

All the admins should be created in the NSM / DOMAIN area.

the DOMAIN determines access to devices, and ROLES determine what a user can do on devices within their 'Domain'.

So you can create an admin in the GLOBAL domain (the one you are using) and assign him a ROLE that you like (or create yourself).

The LOCAL users are only needed when you manage the device via CLI or WEBUI. (or for vpn or firewall authentication obviously)...

So go to the domain admin section of the NSM, not the local users on the ISG :)

Hope this helps,
Top Expert 2007
Thank you for the screenshots I understand what you wish.

The local user in Object Manager [as per NSM admin guide]:
User objects represent the users of your managed devices. You can include user objects
or groups in security policies or VPNs to permit or deny access to individuals or groups.
NSM supports two types of user objects:

Local Users—Users with accounts that are managed by your security devices. You can
create local user groups that include multiple users simplify user administration and
make policies and VPNs easier to create.

Local users created here would be used in firewall policy or VPN but not for device management.

Hope this clears what you wish to implement.

Thank you.


A lot more description and explanation would be very welcomed.
But, thank you anyway

That's exactly what i said 11.5 hours earlier with at least a mention of which admins would need.

thanks for nothing  Darko.
Top Expert 2007

You could have better deleted this question rather than grading C; if you needed more explanation you SHOULD HAVE ASKED.



Thank you ALL for your help, truly .
And please - no comments any more - I am not going to reassign points again.

Kind regards.