topic Re: Admin access to only specific gateway in Firewall and Security Management

Admin access to only specific gateway

shenaitejas — Thu, 20 Oct 2022 09:51:44 GMT

Hi Team,

I have two user in smart console and both having read/write access.Also i have 2 gateways as A and B so is it possible to configure admin 1 can change policies of only gateway A and admin 2 can change only policies of gateway B.If yes please let me know.

Thanks in advance.

Re: Admin access to only specific gateway

Tal_Paz-Fridman — Thu, 20 Oct 2022 15:22:34 GMT

You'll need to to assign a Permission Profile for each administrator, then attach that Profile to the relevant Policy Layer (part of the overall Policy). Here are the general steps:

1| For each Administrator define a different Read/Write Permission Profile (even if the actual settings are identical).

2| Define two Policy Packages - one for each Security Gateway

3| The Policy Package is made of the specific Policy Layers, so assign each one with the relevant Permission Profile:

Menu > Manage policies and layers > layers > Access Control > Select the Layer name belonging to the Policy > Edit > Permissions

4| Add the relevant Permission Profiles

The end result is two policies that can be changed only by the relevant administrator.

Re: Admin access to only specific gateway

the_rock — Thu, 20 Oct 2022 16:40:57 GMT

@Tal_Paz-Fridman gave you perfect response.

Re: Admin access to only specific gateway

PhoneBoy — Thu, 20 Oct 2022 19:11:48 GMT

One caveat with this approach: both administrators will have access to edit the underlying objects, which can affect policies on both gateways.
For true separation of duties where each gateway has its own set of objects modifiable only by the relevant administrator, you need Multi-Domain.

Re: Admin access to only specific gateway

shenaitejas — Fri, 21 Oct 2022 14:27:47 GMT

Thank you all..I will check it.

Re: Admin access to only specific gateway

jennyado — Tue, 15 Apr 2025 00:45:03 GMT

I applied this configuration to create a Permission Profile (Profile1example) and associated it with the Access Control and Threat Prevention Layers of a Policy Package (PP_example). Is it normal for the user with Profile1example permissions to be able to see the other Policy Packages even if they don't have the Profile permission configured in the Layer Editor?

This is my question because I created a user who has Profile1example associated and can still see the other Policy Packages. Expectedly, they would only see PP_example and only be able to configure and edit that policy.

Re: Admin access to only specific gateway

G_W_Albrecht — Tue, 15 Apr 2025 09:30:34 GMT

Are they able to edit the policy package or only to view it in detail ?

Re: Admin access to only specific gateway

PhoneBoy — Tue, 15 Apr 2025 12:16:25 GMT

As far as I know, yes, this is expected behavior.

Re: Admin access to only specific gateway

jennyado — Tue, 15 Apr 2025 15:37:02 GMT

It doesn't allow me to edit the other policies, just view them. We can see the details of the other policy packages, and I also see that clicking the "Install Policy" button displays the window to proceed with the installation. I didn't continue testing to confirm if it allows me to install the policy, but I assume it would.

Re: Admin access to only specific gateway

jennyado — Tue, 15 Apr 2025 15:32:24 GMT

Is it normal to be allowed to proceed with the installation of the other policies?

Re: Admin access to only specific gateway

PhoneBoy — Tue, 15 Apr 2025 16:07:03 GMT

Install Policy is a separate permission:

While I haven't checked it, I assume if they have this permission, they can install ANY policy.
If you need that level of separation, you will need to use Multi-Domain.

Re: Admin access to only specific gateway

jennyado — Tue, 15 Apr 2025 16:17:55 GMT

So, with Multi-Domain, I can restrict a user or group of users (by associating a profile with them) from seeing only one specific policy, right? If there are, for example, three policies, they can only see and modify one of those three in this scenario.

Re: Admin access to only specific gateway

PhoneBoy — Tue, 15 Apr 2025 16:32:31 GMT

Not exactly as the permission profiles work exactly the same in Multi-Domain (i.e. they have the same limitations).

What you can do in Multi-Domain is put the gateways and policies in separate management domains.
This "management domain" is similar to a standalone management server, including separate objects, policies, and logs.
You can grant access to these management domains per admin as required.
You can create global objects/rules that apply across the management domains also.