This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Julie_Paul
Employee
Employee
‎2019-02-12 08:39 AM

Limited Permission Profile

Can I setup a read only user with a profile that only allows him to read logs and view his policy only?  This is on a SMS not an MDM.  The purpose is to allow a limited admin the ability to be restricted to just what they control or have a business need to see.  They do not see all the policies or logs, just their own at their remote location.  

19 Replies
Alisson_Lima
Contributor
‎2019-02-12 02:27 PM

Hello Julie,

What's the version do you use? On R80.x you can create a specific profile (SmartConsole > Manage & Settings > Permissions & Administrators > Permission profiles) according to you need and associate with the user, but we can't create a profile read/write for a specific gateway or policy package.

For more details, please see: SmartConsole R80 Help .

Alisson Lima

Julie_Paul
Employee
Employee
‎2019-02-12 02:54 PM

R80.20 That is the problem.  I have customers who need the ability to create limited view admin profiles.  They are too small to be an MDM shop but still need the flexibility to only allow specific users read access to specific policies and the logs associated to that policy.

0 Kudos
Vladimir
Champion
Champion
‎2019-02-12 09:52 PM
In response to Julie_Paul

You can grant them access to logs in unfiltered but read only mode via smartview:

https://management_ip/smartview 

by restricting their access to the management server to https only:

Julie_Paul
Employee
Employee
‎2019-02-13 05:28 AM
In response to Vladimir

That will not work, they  need to only see their gateway logs and the policy also.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-15 04:42 PM

Since you also asked this question internally and got an answer, why not propagate the answer here Smiley Happy

In general, you can restrict the logs a given user sees in SmartView.

You cannot currently restrict read access to all policies in SmartConsole.

In order to apply a “hardcoded” filter which the user will not be able to edit (in order to restrict the ability to see logs not relevant), perform the following steps.

  • Edit a file called users.xml which exists under $RTDIR/smartview/db/domains/XXXXX
  • If you have several domains you can look at the file domain.txt under each domain folder in order to know the name of the domain
  • In the users.xml file you’ll see <user> tags
  • You can add a filter tag to the corresponding user tags which will be added to every query the user will send.
  • An Example of a filter which will display only Application Control logs of a specific user:
<filter>
    <and>
        <equals>
            <field><![CDATA[product]]></field>
            <value><![CDATA[Application Control]]></value>
        </equals>
        <equals>
            <field><![CDATA[user]]></field>
            <value><![CDATA[John Smith]]></value>
        </equals>
    </and>
</filter>

  • Restart SmartView by running the commands:
    $RTDIR/scripts/stopSmartView
    $RTDIR/scripts/startSmartView
Aitor_Carazo
Contributor
‎2019-03-06 07:18 AM
In response to PhoneBoy

Hi,

I have tried to perform this changes on one user and when i tried to connect via web Smartview i get an error after log-in

Initialization failed

error ref id:6380036B

I also have tried with the exact example of APPCTL and Jhon Smith and also fails

   ........................ 
   <tabs>
       <active><![CDATA[{769F9EF8-606A-4956-A357-675E311C632A}]]></active>
       <uid><![CDATA[{769F9EF8-606A-4956-A357-675E311C632A}]]></uid>
    </tabs>
    <emailServer/>
    <_timestamp_><![CDATA[2019-03-06T15:36:12+01:00]]></_timestamp_>
    <filter>
       <field><![CDATA[origin]]></field>
       <value><![CDATA[BranchFW]]></value>
    </filter>
    </user>
</users>

I tried to find the syntax but there is no info. 

How could i get this working?

Where is the error?

Thank you very much.

PhoneBoy
Admin
Admin
‎2019-03-06 06:40 PM
In response to Aitor_Carazo

Try:

<filter>origin:BranchFW</filter>

Aitor_Carazo
Contributor
‎2019-03-08 01:31 AM
In response to PhoneBoy

Bravo

PhoneBoy
Admin
Admin
‎2019-03-08 07:03 AM
In response to Aitor_Carazo

I assume that worked, then? Smiley Happy

0 Kudos
Aitor_Carazo
Contributor
‎2019-03-20 03:20 AM
In response to PhoneBoy

It Works Perfectly!!!

0 Kudos
steve_warren
Explorer
‎2019-12-10 05:14 PM
In response to PhoneBoy

I have been searching for this solution months now.

I would love a sample config of the users.xml file to restrict a user to only be able to view logs generated from a specific gateway.
0 Kudos
Dror_Aharony
Employee
Employee
‎2019-12-15 06:49 AM
In response to steve_warren

Insert the filter line to the right users.xml file like this:

in $RTDIR/smartview/db/domains/<relevant_domain_id>/users.xml

 

<owner><![CDATA[admin]]></owner>
<isNewlyCreated><![CDATA[true]]></isNewlyCreated>
<username><![CDATA[admin]]></username>
<locale><![CDATA[en-US]]></locale>
<filter><![CDATA[orig:<GW_Name/IP>]]></filter>
<firstDayOfWeek><![CDATA[2]]></firstDayOfWeek>
<theme><![CDATA[default]]></theme>

 

Restart Smartview:

$RTDIR/scripts/stopSmartView; $RTDIR/scripts/startSmartView

 

Scipion
Contributor
‎2020-01-27 02:35 AM
In response to Dror_Aharony

And if I need to add more than one gateway for the user?

0 Kudos
Dror_Aharony
Employee
Employee
‎2020-01-27 02:38 AM
In response to Scipion

Simply add an OR.

<filter><![CDATA[orig:<GW_Name/IP> OR orig:<GW2>]]></filter>

Scipion
Contributor
‎2020-01-27 02:45 AM
In response to Dror_Aharony

Thank you!

0 Kudos
Hrvoje_Brlek
Contributor
‎2020-02-19 12:35 AM
In response to PhoneBoy

Hi, I am also trying to limit the visible data to the user. The filter <filter><![CDATA[orig:<GW_Name/IP>]]></filter> works fine, but I have a different kind of problem.

We are using MDS, and when the user connects to SmartViev he can choose between the global domain (MDS) and a specific domain. If he chooses the specific domain the filter works fine. If he chooses the global domain (MDS) the filter does not apply, he can see all the logs 😐

Can I restrict the user access not to be able to connect to the global domain (MDS) thorugh SmartView at all, or to filter the view on MDS?
In the SmartConsole on the MDS I have restricted the user permission to view the logs only and to be able to see only one domain (the other domains aren't visible), but the option of viewing logs on the global domain (MDS) is always available through SmartView.

Thanks!

0 Kudos
Amir_Senn
Employee
Employee
‎2020-02-19 12:57 AM
In response to Hrvoje_Brlek

You can try either of the following:

1, You can remove the global domain from his administrator all together from and he won't be able to connect to MDS level at all.

2. You can assign him a permission profile to the global domain that doesn't have log permission. Go to Permission profile -> Monitoring and Logging and remove the permission for traffic logs and management logs.

3. You can change the admin type to a "Domain Level Only". This kind of profile can't connect to global level.

Kind regards, Amir Senn
0 Kudos
Hrvoje_Brlek
Contributor
‎2020-02-19 02:16 AM
In response to Amir_Senn

Hi, I am testing and this is what I get. Just to clarify I am talking about SmartView browser viewing, not the SmartConsole access. The user is local, and we are using R80.30.

3. It was already configured as domain-level only, but can still connect to MDS on SmartView (with all logs visible). 

image.png

 

2. The multi-domain permission is obligatory on the user profile. This is how it was set, and it doesn't work. Still all the logs are visible through MDS on SMartView.

Multi-domain:

image.png

Read-only NO access:

image.png

Read only Log:

image.png

 

User profile:

image.png

 

1. Can you please elaborate this one, or how to set it up?

0 Kudos
Amir_Senn
Employee
Employee
‎2020-02-19 04:26 AM
In response to Hrvoje_Brlek

1. On the last picture you added, there's a "All Global Domains" item on the domains list. The intention was to remove it by selecting it and clicking on the X above.

I want to elaborate on something, at least from logs perspective. Everything you see on SmartConsole should be identical to what you see on the SmartView webapp. There should be no difference whatsoever. If there is a difference there's an issue here.

First thing I suggest you should do is to check if you have some sort of access roles. Perhaps it signs in with an access role and not the CP admin you created for him.

If it's not related then this is an issue. I would suggest installing latest jumbo hotfix to see if this solves this.

If the issue continues, I suggest opening ticket for TAC support.

Kind regards, Amir Senn
0 Kudos