This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Eugene_Brown
Participant
‎2018-06-04 01:39 AM

Restrict access to specific policies

Jump to solution

Is it possible to restrict SmartConsole administrators to only access specific policies?

I would like to be able to create read-only SmartConsole users that have access to only specific access rule policies (and NATs) in on domain.

I am using MDS R80.10

1 Solution

Accepted Solutions
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2018-06-04 09:56 PM

Jump to solution

Hi, currently with R80.10 you can limit the editing to specific access control layers.

Showing or hiding specific policies with R80.10 is a matter of all-or-nothing. If you use a Multi-Domain Management server you can restrict entire domain from administrators, but you cannot hide some of the policies and show the others in the same domain.

Hope this helps

View solution in original post

10 Replies
ED
Advisor
‎2018-06-04 04:00 AM

Jump to solution

I have not tested it but you could try following:

1. Create a new permission profile. Manage & settings > Permissions & Administrators > Permission profiles. Create a new with something like this:

Disable (remove the check mark) on most of the other settings. 

2. Create a new administrator and assign the newly created permissions profile from step 1. 

3. Open a security policy > Right click on Policy > Edit policy > Network  > Drop down menu on right > Edit layer > Permissions > Select additional profiles thatt will be able to edit this layer. Select the profile we created in step 1. 

Eugene_Brown
Participant
‎2018-06-05 12:50 AM
In response to ED

Jump to solution

Enis, your method is similar to how I tried before submitting the question. I've tried your method exactly and got further, but my new profile just shows as an option to edit (rather than view) the Access Control layer.

0 Kudos
ED
Advisor
‎2018-06-06 03:47 AM
In response to Eugene_Brown

Jump to solution

Yeah I see it now, it was a bad suggestion from me because it says with this sentence "Select additional profiles that will be able to edit this layer". It only gives you ability to edit and that is not what you want. It's like Tomer said, all or nothing Smiley Happy 

Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2018-06-06 10:01 PM
In response to ED

Jump to solution

or move that to a Domain (Multi-Domain Management)

0 Kudos
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2018-06-04 09:56 PM

Jump to solution

Hi, currently with R80.10 you can limit the editing to specific access control layers.

Showing or hiding specific policies with R80.10 is a matter of all-or-nothing. If you use a Multi-Domain Management server you can restrict entire domain from administrators, but you cannot hide some of the policies and show the others in the same domain.

Hope this helps

Eugene_Brown
Participant
‎2018-06-05 12:52 AM
In response to Tomer_Sole

Jump to solution

That's what I was afraid of, but thanks for confirming. I guess we'll need a specific domain, or use another tool (i.e. Firemon) to provide read only access.

AVIAD_BITON
Explorer
‎2019-11-13 09:13 AM
In response to Tomer_Sole

Jump to solution

Hi Tomer,

Is it in your road-map to develop the option for newer versions? - it is very basic demand for customer that are not bigger enough to use Multi Domain Manager but still have some sites with IT/SEC team that they want to give them access for their specific site to allow access for their users on regular basis.

Best Regards,

Aviad

Maarten_Sjouw
Champion
Champion
‎2019-11-13 02:58 PM
In response to AVIAD_BITON

Jump to solution
For this type of setup you should be able to create a plociy with a layer per location, in the layer itself you can set permissions.
Regards, Maarten
0 Kudos
genisis__
Advisor
‎2020-04-11 03:36 AM
In response to AVIAD_BITON

Jump to solution

I'm interested in this as well,  I would like to restrict read-only access to specific policy files. better still have the ability to add the users into a group (at a MDS level) and the assign permission profile against this group, which then in turn is assigned as read-only to a specific policy file.

 

0 Kudos
Luis_Miguel_Mig
Advisor
‎2020-11-25 08:05 AM
In response to Tomer_Sole

Jump to solution

I think the layer access control for read-only user cases is okay.  However Tomer, is there any chance to develop a bit more the layer access control for write user cases.
I mean, it would be great that the groups already included in a layer could inherit the permission from the layer and allow objects (existent or new) to be added to the group

0 Kudos