This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hllrdm
Contributor
‎2023-07-12 05:32 AM
Jump to solution

Blocking rule editing

We need to restrict the editing of all rules from a certain section tittle for other administrators, and that they can only be edited by admin. Is it possible to do this in Check Point?

0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-12 05:53 AM
Jump to solution

Granting permission for a specific section of the rulebase is not feasible. However, you can explore the following alternatives:

  1. Implement Ordered Layers and assign distinct Permission Profiles to each layer.

  2. Transition to Multi-Domain Security Management, which allows you to utilize a Global Domain for a particular policy segment, while the Domain level administrator handles the remaining sections.

View solution in original post

0 Kudos
10 Replies
the_rock
MVP Diamond
MVP Diamond
‎2023-07-12 05:45 AM
Jump to solution

If you can send a screenshot and circle what you want to di, I can test it in my lab.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Hllrdm
Contributor
‎2023-07-12 05:50 AM
In response to the_rock
Jump to solution

Tittles.jpg

 

For example, administrators other than Administator cannot edit 1-13 rules

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-07-12 05:54 AM
In response to Hllrdm
Jump to solution

I have an hour before my next call, so stand by, let me see if this is possible.

Cheers,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Tal_Paz-Fridman
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-12 05:53 AM
Jump to solution

Granting permission for a specific section of the rulebase is not feasible. However, you can explore the following alternatives:

  1. Implement Ordered Layers and assign distinct Permission Profiles to each layer.

  2. Transition to Multi-Domain Security Management, which allows you to utilize a Global Domain for a particular policy segment, while the Domain level administrator handles the remaining sections.

0 Kudos
Hllrdm
Contributor
‎2023-07-12 05:56 AM
In response to Tal_Paz-Fridman
Jump to solution

  1. Implement Ordered Layers and assign distinct Permission Profiles to each layer.

Could you describe this process in more detail?

0 Kudos
Hllrdm
Contributor
‎2023-07-12 05:58 AM
In response to Tal_Paz-Fridman
Jump to solution

Thank you I have figured out the technology in question.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-07-12 06:00 AM
In response to Hllrdm
Jump to solution

I think what @Tal_Paz-Fridman said makes sense. I looked for any setting related to being able to possible prevent given admin from modifying regular rule(s), but it does not appear to exist anywhere.

Its definitely good candidate for RFE, in my view.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Hllrdm
Contributor
‎2023-07-12 06:01 AM
In response to the_rock
Jump to solution

Yeah, that's what I thought, too. MDS implementation is quite difficult in terms of time, while layers implementation is simple. We will try this option, thanks

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-07-12 06:04 AM
In response to Hllrdm
Jump to solution

Im fairly sure this is what @Tal_Paz-Fridman was referring to.

Andy

 

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-13 03:15 PM
Jump to solution

Directly, no.
However, through use of a SmartTask like https://community.checkpoint.com/t5/Management/SmartTask-Custom-Permissions/m-p/77247#M11281, it should be possible.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events