This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Eugene_Brown
Participant
‎2018-06-04 01:39 AM
Jump to solution

Restrict access to specific policies

Is it possible to restrict SmartConsole administrators to only access specific policies?

I would like to be able to create read-only SmartConsole users that have access to only specific access rule policies (and NATs) in on domain.

I am using MDS R80.10

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2018-06-04 09:56 PM
Jump to solution

Hi, currently with R80.10 you can limit the editing to specific access control layers.

Showing or hiding specific policies with R80.10 is a matter of all-or-nothing. If you use a Multi-Domain Management server you can restrict entire domain from administrators, but you cannot hide some of the policies and show the others in the same domain.

Hope this helps

View solution in original post

10 Replies
ED
Advisor
‎2018-06-04 04:00 AM
Jump to solution

I have not tested it but you could try following:

1. Create a new permission profile. Manage & settings > Permissions & Administrators > Permission profiles. Create a new with something like this:

Disable (remove the check mark) on most of the other settings. 

2. Create a new administrator and assign the newly created permissions profile from step 1. 

3. Open a security policy > Right click on Policy > Edit policy > Network  > Drop down menu on right > Edit layer > Permissions > Select additional profiles thatt will be able to edit this layer. Select the profile we created in step 1. 

Eugene_Brown
Participant
‎2018-06-05 12:50 AM
In response to ED
Jump to solution

Enis, your method is similar to how I tried before submitting the question. I've tried your method exactly and got further, but my new profile just shows as an option to edit (rather than view) the Access Control layer.

0 Kudos
ED
Advisor
‎2018-06-06 03:47 AM
In response to Eugene_Brown
Jump to solution

Yeah I see it now, it was a bad suggestion from me because it says with this sentence "Select additional profiles that will be able to edit this layer". It only gives you ability to edit and that is not what you want. It's like Tomer said, all or nothing Smiley Happy 

Tomer_Sole
Mentor
Mentor
‎2018-06-06 10:01 PM
In response to ED
Jump to solution

or move that to a Domain (Multi-Domain Management)

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-06-04 09:56 PM
Jump to solution

Hi, currently with R80.10 you can limit the editing to specific access control layers.

Showing or hiding specific policies with R80.10 is a matter of all-or-nothing. If you use a Multi-Domain Management server you can restrict entire domain from administrators, but you cannot hide some of the policies and show the others in the same domain.

Hope this helps

Eugene_Brown
Participant
‎2018-06-05 12:52 AM
In response to Tomer_Sole
Jump to solution

That's what I was afraid of, but thanks for confirming. I guess we'll need a specific domain, or use another tool (i.e. Firemon) to provide read only access.

AVIAD_BITON
Explorer
‎2019-11-13 09:13 AM
In response to Tomer_Sole
Jump to solution

Hi Tomer,

Is it in your road-map to develop the option for newer versions? - it is very basic demand for customer that are not bigger enough to use Multi Domain Manager but still have some sites with IT/SEC team that they want to give them access for their specific site to allow access for their users on regular basis.

Best Regards,

Aviad

Maarten_Sjouw
Champion
Champion
‎2019-11-13 02:58 PM
In response to AVIAD_BITON
Jump to solution

For this type of setup you should be able to create a plociy with a layer per location, in the layer itself you can set permissions.
Regards, Maarten
0 Kudos
genisis__
Mentor Mentor
Mentor
‎2020-04-11 03:36 AM
In response to AVIAD_BITON
Jump to solution

I'm interested in this as well,  I would like to restrict read-only access to specific policy files. better still have the ability to add the users into a group (at a MDS level) and the assign permission profile against this group, which then in turn is assigned as read-only to a specific policy file.

 

0 Kudos
Luis_Miguel_Mig
Advisor
‎2020-11-25 08:05 AM
In response to Tomer_Sole
Jump to solution

I think the layer access control for read-only user cases is okay.  However Tomer, is there any chance to develop a bit more the layer access control for write user cases.
I mean, it would be great that the groups already included in a layer could inherit the permission from the layer and allow objects (existent or new) to be added to the group

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events