Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

Permission to only manage reports for a certain security gateway / cluster

Hi community,

 

Is there a way to achieve the following:

Grant certain users access to only read and create new reports for a certain security gateway / cluster?

Important: Identities/users must not be hidden in the reports.

 

We have just a Security Managment Server (R80.30) and a Smart Event Server in use (not a Muli Domain Management).

 

I couldn't find any post related to that topic.

I really appreciate your help!

 

Thanks in advance!

 

Best Regards

Nenad

 

 

0 Kudos
Reply
6 Replies
Highlighted
Employee++
Employee++

Not easily possible. We're trying to push for such an admin/permission GUI feature fix.

 

via CLI it is possible:

Create a user & enter with it the Smartview tabs > Logs > New tab > Views > Create a new view (clone a view if needed).

then edit it like this:

Insert the filter line to the right users.xml file in the relevant user's section:

Backup file: cp $RTDIR/smartview/db/domains/<relevant_domain_id>/users.xml{,.Orig};

Edit it: vim $RTDIR/smartview/db/domains/<relevant_domain_id>/users.xml

 

<owner><![CDATA[nenad]]></owner>
<isNewlyCreated><![CDATA[true]]></isNewlyCreated>
<username><![CDATA[nenad]]></username>
<locale><![CDATA[en-US]]></locale>
<filter><![CDATA[orig:<GW_Name/IP>]]></filter>
<firstDayOfWeek><![CDATA[2]]></firstDayOfWeek>
<theme><![CDATA[default]]></theme>

 

Restart Smartview: 

$RTDIR/scripts/stopSmartView; $RTDIR/scripts/startSmartView

 

See it here as well: https://community.checkpoint.com/t5/Logging-and-Reporting/Limited-Permission-Profile/m-p/75671#M4422

 

 

0 Kudos
Reply
Highlighted
Explorer

@Dror_Aharony   Thanks very much for your reply

Just a question to the procedure.

I assume that I can create the new user via GUI (SmartConsole)?

If yes, which Permission Profile do I need to assign to the newly created user?
As I only want the user to be able to read / create reports (and the identities in the reports not to be hidden) and nothing else.

Thanks again for a short reply!

Best Regards

Nenad

0 Kudos
Reply
Highlighted
Admin
Admin

The above only applies to SmartView and doesn't require a specific permission profile.
It applies a hidden filter to the users queries that cannot be overridden.
0 Kudos
Reply
Highlighted
Explorer

Thanks for your feedback! I really appreciate all of your help.

 

In general limiting the users access to logs and reports to a certain Security Gateway with filter line in the users.xml works fine.

But unfortunately the user cannot see the identities in the logs and reports, only the hidden identities (******). And this is one of the requirements.

Is there a certain permission in the Permission Profile that need to be activated or adjusted?

2020-05-15 12_34_04-Clipboard.png

 

 

 

 

 

And if I create a customized Permission Profile with almost no Permissions, the user cannot see logs and create reports. 

Thanks for your help again.

Best Regards

Nenad

0 Kudos
Reply
Highlighted
Employee++
Employee++

Make sure to have all/most 'Monitoring and Logging' permissions checked, especially the 'Identities' & 'Show Identities by default' & 'DLP Confidential fields' too.

(See Pic).

 

Hope that solves everything.

 

 
 
 

 

 

0 Kudos
Reply
Highlighted
Explorer

Thanks again for all your help!

Finally, I could manage it to allow a certain user only access to Logs and Reports for a specific Security Gateway / cluster via Smartview with identities shown as follows:

Create a Permission Profile with only access to Logs and Reports (all options ticked for "Monitoring and Logging" & "Events and Reports") (see pic below).

2020-05-19 16_10_54-Profile.png2020-05-19 16_08_25-Profile.png

Create a user with Permission Profile created before.

And then limit user's access to specific Security Gateway by modifying users.xml as described by @Dror_Aharony 

At the beginning of my tests I had a strange issue, I created a new user and played around with the assigned customized Permission Profile. For whatever reason, I couldn't manage it for that user to get the identities shown in the Logs and Reports. Even when I assigned this user the "Read Write All" or "Super User" Permissions Profile, this test user had the identities only hidden (******) in the Logs and Reports.

Maybe I did something wrong with the order or creating/adjusting the Permission Profile or limit user access via users.xml. But anyway it should have worked when assigning e.g. the "Super User" Permission Profile. So it seems to be some kind of bug.

Maybe that will help someone who faces the same issue.

Best Regards

Nenad

 

 

0 Kudos
Reply