Well, the nsroot account does have full privileges, and should not be given to anyone. There is a way to provide your Netscaler administrators different access types to the management interface.
On this post we’ll cover the use of “Radius” or “LDAP” authentication for this matter. The scenario is basically the same, regardless on which authentication method you chose.

Start by creating an authentication server (LDAP or Radius)
Note! x.x.x.x is the IP to your Domain Controller or Contentswitch IP where you hide your domain controllers behind

add authentication ldapAction Admin_Auth_Action -serverIP x.x.x.x -ldapBase “dc=envokeit,dc=com” -ldapBindDn sa-ldap@envokeit.com -ldapBindDnPassword hdhh44hh54b33 -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -ssoNameAttribute samAccountName

Create an authentication policy (using a custom rule or simply use “ns_true“) and link it to the server you just created

add authentication ldapPolicy Admin_Auth_Policy ns_true Admin_Auth_Action

Next, you need to configure a system group (LDAP group) that your administrators are members of, and assign the appropriate command policy level (there are 9 levels on Netscaler 11). In this case we will be using the “Superuser” privileges

add system group Netscaler_Admin_Group -promptString Administrators -timeout 1800

bind system group Netscaler_Admin_Group -policyName superuser 10

Finally, you need to bind your new authentication policy globally

bind system global Admin_Auth_Policy -priority 10