- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Restrict access to specific policies
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restrict access to specific policies
Is it possible to restrict SmartConsole administrators to only access specific policies?
I would like to be able to create read-only SmartConsole users that have access to only specific access rule policies (and NATs) in on domain.
I am using MDS R80.10
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, currently with R80.10 you can limit the editing to specific access control layers.
Showing or hiding specific policies with R80.10 is a matter of all-or-nothing. If you use a Multi-Domain Management server you can restrict entire domain from administrators, but you cannot hide some of the policies and show the others in the same domain.
Hope this helps
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not tested it but you could try following:
1. Create a new permission profile. Manage & settings > Permissions & Administrators > Permission profiles. Create a new with something like this:
Disable (remove the check mark) on most of the other settings.
2. Create a new administrator and assign the newly created permissions profile from step 1.
3. Open a security policy > Right click on Policy > Edit policy > Network > Drop down menu on right > Edit layer > Permissions > Select additional profiles thatt will be able to edit this layer. Select the profile we created in step 1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enis, your method is similar to how I tried before submitting the question. I've tried your method exactly and got further, but my new profile just shows as an option to edit (rather than view) the Access Control layer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I see it now, it was a bad suggestion from me because it says with this sentence "Select additional profiles that will be able to edit this layer". It only gives you ability to edit and that is not what you want. It's like Tomer said, all or nothing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or move that to a Domain (Multi-Domain Management)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, currently with R80.10 you can limit the editing to specific access control layers.
Showing or hiding specific policies with R80.10 is a matter of all-or-nothing. If you use a Multi-Domain Management server you can restrict entire domain from administrators, but you cannot hide some of the policies and show the others in the same domain.
Hope this helps
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's what I was afraid of, but thanks for confirming. I guess we'll need a specific domain, or use another tool (i.e. Firemon) to provide read only access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomer,
Is it in your road-map to develop the option for newer versions? - it is very basic demand for customer that are not bigger enough to use Multi Domain Manager but still have some sites with IT/SEC team that they want to give them access for their specific site to allow access for their users on regular basis.
Best Regards,
Aviad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm interested in this as well, I would like to restrict read-only access to specific policy files. better still have the ability to add the users into a group (at a MDS level) and the assign permission profile against this group, which then in turn is assigned as read-only to a specific policy file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the layer access control for read-only user cases is okay. However Tomer, is there any chance to develop a bit more the layer access control for write user cases.
I mean, it would be great that the groups already included in a layer could inherit the permission from the layer and allow objects (existent or new) to be added to the group
