cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee+
Employee+

Limited Permission Profile

Can I setup a read only user with a profile that only allows him to read logs and view his policy only?  This is on a SMS not an MDM.  The purpose is to allow a limited admin the ability to be restricted to just what they control or have a business need to see.  They do not see all the policies or logs, just their own at their remote location.  

10 Replies

Re: Limited Permission Profile

Hello Julie,

What's the version do you use? On R80.x you can create a specific profile (SmartConsole > Manage & Settings > Permissions & Administrators > Permission profiles) according to you need and associate with the user, but we can't create a profile read/write for a specific gateway or policy package.

For more details, please see: SmartConsole R80 Help .

Alisson Lima

0 Kudos
Employee+
Employee+

Re: Limited Permission Profile

R80.20 That is the problem.  I have customers who need the ability to create limited view admin profiles.  They are too small to be an MDM shop but still need the flexibility to only allow specific users read access to specific policies and the logs associated to that policy.

0 Kudos
Vladimir
Jade

Re: Limited Permission Profile

You can grant them access to logs in unfiltered but read only mode via smartview:

https://management_ip/smartview 

by restricting their access to the management server to https only:

0 Kudos
Employee+
Employee+

Re: Limited Permission Profile

That will not work, they  need to only see their gateway logs and the policy also.

0 Kudos
Highlighted
Admin
Admin

Re: Limited Permission Profile

Since you also asked this question internally and got an answer, why not propagate the answer here Smiley Happy

In general, you can restrict the logs a given user sees in SmartView.

You cannot currently restrict read access to all policies in SmartConsole.

In order to apply a “hardcoded” filter which the user will not be able to edit (in order to restrict the ability to see logs not relevant), perform the following steps.

  • Edit a file called users.xml which exists under $RTDIR/smartview/db/domains/XXXXX
  • If you have several domains you can look at the file domain.txt under each domain folder in order to know the name of the domain
  • In the users.xml file you’ll see <user> tags
  • You can add a filter tag to the corresponding user tags which will be added to every query the user will send.
  • An Example of a filter which will display only Application Control logs of a specific user:
<filter>
    <
and>
        <
equals>
            <
field><![CDATA[product]]></field>
            <
value><![CDATA[Application Control]]></value>
        </
equals>
        <
equals>
            <
field><![CDATA[user]]></field>
            <
value><![CDATA[John Smith]]></value>
        </
equals>
    </
and>
</
filter>

  • Restart SmartView by running the commands:
    $RTDIR/scripts/stopSmartView
    $RTDIR/scripts/startSmartView

Re: Limited Permission Profile

Hi,

I have tried to perform this changes on one user and when i tried to connect via web Smartview i get an error after log-in

Initialization failed

error ref id:6380036B

I also have tried with the exact example of APPCTL and Jhon Smith and also fails

   ........................ 
   <tabs>
      <active><![CDATA[{769F9EF8-606A-4956-A357-675E311C632A}]]></active>
      <uid><![CDATA[{769F9EF8-606A-4956-A357-675E311C632A}]]></uid>
   </tabs>
   <emailServer/>
    <_timestamp_><![CDATA[2019-03-06T15:36:12+01:00]]></_timestamp_>
   <filter>
      <field><![CDATA[origin]]></field>
      <value><![CDATA[BranchFW]]></value>
   </filter>
   </user>
</users>

I tried to find the syntax but there is no info. 

How could i get this working?

Where is the error?

Thank you very much.

0 Kudos
Admin
Admin

Re: Limited Permission Profile

Try:

<filter>origin:BranchFW</filter>

Re: Limited Permission Profile

Bravo

Admin
Admin

Re: Limited Permission Profile

I assume that worked, then? Smiley Happy

0 Kudos

Re: Limited Permission Profile

It Works Perfectly!!!

0 Kudos