Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Swiftyyyy
Advisor
Jump to solution

Permission Profiles

Hi,

We manage Infinity Portal (Harmony Endpoint) for an organization spanning multiple countries each with their respective on-prem IT.

So far we've provided local IT with Read-Only accounts, but we would like to expand the amount of things they're able to do.
Specifically I want to grant them Read access to SmartView functionality, permit the execution of "Push Operations" and allow them to define and export installation packages.

These are all options we have in SmartConsole for On-Prem deployments of Endpoint Security. How can we replicate this permission profile to Infinity Portal?
Creating the object in SmartConsole does not have the option available in the cloud. Is this even a supported feature? (I reckon it should be).

Thank you

0 Kudos
1 Solution

Accepted Solutions
jcortez
Employee
Employee

@Swiftyyyy @the_rock 

You are both correct, they are separate objects and cannot be managed/edited anywhere else but where it was created. Smart Console admins created from Smart Console can be edited and changed only within Smart Console. Infinity Portal Admins created from the Infinity Portal can be edited and changed only within the Infinity Portal.

 

I agree that the current permissions/templates for admins in the Infinity Portal lack details/definition and customization. If you would like to see this changed/improved upon please contact your Check Point Sales team and put in a RFE.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team

View solution in original post

15 Replies
G_W_Albrecht
Legend Legend
Legend

If you Download the SmartConsole from Infinity portal and connect to Infinity, these are not available ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Swiftyyyy
Advisor

Here are the steps I'm taking

1) Download SmartConsole from Infinity Portal & connect to infinity with our token

2) In SmartConsole open "Manage & Settings" and select "Permission Profiles",  select "New"

3) In the new window define a new permission object & publish session

4) Log onto Infinity Portal Web MGMT and under Global Settings -> Users attempt to apply the role to a user

Under "Global Roles" only "Admin" "Read-Only" and "User-Admin" appear, all of which are pre-defined and *not* the role I've defined.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I see, you will have to consult TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Swiftyyyy
Advisor

I do have a request open, just tried asking on both ends at once 😁

Thanks either way.

the_rock
Legend
Legend

Can you attach the screenshot, if at all possible? I want to try simulate this on another cloud instance I have access to, just to see if I get same issue.

0 Kudos
Swiftyyyy
Advisor

Sure.SmartConsolePerms.png

Starting with SmartConsole I create a new permission profile with the boxes I'd like checked.

I then publish the session & log onto Infinity Portal.
On Infinity Portal I navigate to "Global Settings" and "Users" where I select a User Profile & press "Edit".

WhereImEditing.png

There I have a list of possible pre-defined roles available.

Here are the screenshots.

All of the roles listed are pre-defined, but it'd be nice to have the capability of moving SmartConsole-defined Permissions over to Infinity Cloud.
None of the Pre-Defined roles are a 100% match with what we'd like to enforce, though the Endpoint Harmony "Helpdesk" role is fairly close, albeit a bit wider in scope than what I'd what.

GlobalRoles.pngHarmonyEndpoint.pngInfinityEvents.pngInfinityPolicy.pngUserGroups.png

 

Swiftyyyy
Advisor

Okay!

We applied the "Helpdesk" permissions set.
It's a little worse than advertised. The Exclusions the document states our IT should be able to make are greyed out, Threat Hunting is not available (Which IS available to a Read-Only account) but while they're not able to change policy, they can still push a new version of the client to everyone in the organization at once because Deployment Policy installs are apparently A-OK.

Not the best thought out permissions set, but for now it'll do. Hopefully TAC chimes in on it as well.

 

0 Kudos
the_rock
Legend
Legend

Then I may have had wrong understanding of how this works. I was under impression that those profiles under global settings are by default and cant be edited at all, whatever is there is there. The profiles you create in actual smart dashboard are for dashboard users, NOT for the portal.checkpoint.com users...at least thats what I thought, but again, I could be wrong.

0 Kudos
Swiftyyyy
Advisor

It does look like you're right.

I had wrongly assumed the objects in SmartConsole regarding permissions carry over to Infinity Portal; clearly they're entirely separate entities. Though that's a tad misleading given I can still browse through Infinity Portal accounts on SmartConsole, despite not being able to login with them (no SSO support).

The "Helpdesk" profile I applied was a pre-defined profile, I had nothing to do with defining that. But it appears to not follow exactly to the letter what's written in Managing Users in Harmony Endpoint (checkpoint.com) either. Not allowing Helpdesk profiles access Threat Hunting despite Read-Only accounts having full view is strange as well in my opinion.

But it's a solution that'll have to work for us for now.

0 Kudos
the_rock
Legend
Legend

Well, trust me, I had been wrong MANY times before, so would not be first or last time LOL. The only reason why I said what I said is because I had been dealing with cloud portal stuff for quite some time now, so I got to know ins and outs of it : - )

0 Kudos
jcortez
Employee
Employee

@Swiftyyyy @the_rock 

You are both correct, they are separate objects and cannot be managed/edited anywhere else but where it was created. Smart Console admins created from Smart Console can be edited and changed only within Smart Console. Infinity Portal Admins created from the Infinity Portal can be edited and changed only within the Infinity Portal.

 

I agree that the current permissions/templates for admins in the Infinity Portal lack details/definition and customization. If you would like to see this changed/improved upon please contact your Check Point Sales team and put in a RFE.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
the_rock
Legend
Legend

To be honest man, I never even thought about it until I read this post, haha. But, @Swiftyyyy made a good point, it would be interesting if dashboard profiles could be incorporated, its very interesting idea.

0 Kudos
jcortez
Employee
Employee

Not sure if you are aware but our Smart Console packages, both for Harmony Endpoint On-Prem and Cloud/EPMaaS, have been in the process of being deprecated. It is possible sometime this year the Smart Console package/GUI will be a thing of the past.

Everything is moving web based and that will be the way of things moving forward. The ETA has been changing so not sure on that and when this will finally happen.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
0 Kudos
Swiftyyyy
Advisor

Of course, I look forward to a unified web interface.

But at present time, Infinity Portal still lacks some functionality which makes me reach for the thick client.

1) Client package upload
We've had a situation where a pre-QA client had been provided to us to deal with an issue, we were able to upload it to cloud management through SmartEndpoint
2) Quarantined items
There's no actual list of quarantined items per-device. With SmartEndpoint you would have access to that knowledge without having to parse through logs
3) Parsing through logs
Waaaay clunkier on Infinity Portal vs. SmartConsole, why can't we use the same search syntax? Sure you're able to get more or less the same result via GUI buttons, but with how slow the cloud is at times, it'd be nice to just write a string and be done with it instead of waiting for the page to refresh with every click.
4) This thread basically
Granular permissions would be nice. With on-prem deployments we generally don't even serve that many seats where we'd need a large enough admin team to warrant anything other than full rights. With the cloud we do.

I could probably think of more things, but at this current moment in time, the feature parity just isn't there. I haven't had the chance to try Web SmartConsole for on-prem deployments yet, but from what I've heard it's not much better there.

Again, I'm looking forward to it, but it seems there's a decent way ahead to it being an upgrade vs. a slight downgrade in exchange for practicality of access.

0 Kudos
jcortez
Employee
Employee

1) Client package upload

This will not be coming to Harmony Endpoint Cloud/EPMaaS. This is something that we have decided is easier for TAC to do for customer on this platform and not to have a feature customer facing. This is because all GA package are provided automatically already and if a customer needs a E2 client package or a CFG client package, we will have the ability from our end to upload for the customer. However, this feature to have a client package repository for Harmony Endpoint On-Premise does exist today starting with R81.10.

 

2) Quarantine items

This will be improving this year in 2022 with predefined views/reports under the Overview Tab to better illustrate this information. There is no solid ETA just yet but it is coming this year.

 

3) Parsing through logs

Performance improvements are coming to Infinity Portal & Harmony Endpoint Cloud/EPMaaS. What you can also do is open a case with us, Endpoint TAC, and we can see what we can do to improve your experience for now.

 

4) Infinity Portal & Harmony Endpoint Web Management Portal Permissions

I know improvements are coming this year but I do not know to what extent. I will look into this and update this thread as I get updates on ETAs and details about what is coming.


Justin Cortez
Technology Leader | Endpoint Cyber Security Products | Americas Endpoint Team
Upcoming Events

    CheckMates Events