Restricting the Acces on Policy package

Biju_Nair · ‎2017-10-05

Hi,

Is it possible to restrict the access on the policy package for respective administrators.

version is R80.10

For eg: I have a four different branches and all managed by single management and there are four separate policy packages for these branches.

I do not wish that the branch1 admin to access or view the policy details of branch2.

Even each admin should view their own policy, nat, IPSEC VPN, objects etc.... they should not view any details related to other branches.

is this possible ?

PhoneBoy · ‎2017-10-05

It's possible, assuming the following:

Each branch admin does not have Super User or Read Write All permissions
You assign each branch admin into a unique permissions profile that only has access to "Edit layers by the selected profiles in a layer editor"
You assign the relevant policy layers so that the specific administrator profile has access to edit that layer

Screenshots below:

Biju_Nair · ‎2017-10-07

Is it possible to restrict the policy package itself, considering that the each branch office has their own policy package.

Biju Nair

Sr. Support Specialist – IT Networking & Security

CCSA, NSE 4, TCSE, VCE

Fakhro Electronics

Fakhro Tower, Office 701, Road 1010, Block 410

PO Box 39, Sanabis, Kingdom of Bahrain.

M: +973 38880953 T: +973 17220094 | F: +973 17228899

Email: <mailto:bijun@fakhro.com> bijun@fakhro.com | Web Site: <http://www.fe.bh/> www.fe.bh

Tomer_Sole · ‎2017-10-07

Hi, currently you an restrict admins from editing policies either:

- based on selected blades

- per-layer.

Since policy packages are composed of layers ( https://community.checkpoint.com/thread/1092 ) then this effectively limits their editing per policy.

Is this what you intended to have?

Biju_Nair · ‎2017-10-08

Basiacally, what I want to achieve is that since the management is single for 5 different locations managing 5 different gateways. I want the each respective entity should manage their own gateway and should not view other’s policy details.

I dont want the respective entity to view or edit any policy that are not related to them. In short, each entity should be able to view and edit their policy package only and should not even view or edit other entity policies.

Biju Nair

Sr. Support Specialist – IT Networking & Security

CCSA, NSE 4, TCSE, VCE

Fakhro Electronics

Fakhro Tower, Office 701, Road 1010, Block 410

PO Box 39, Sanabis, Kingdom of Bahrain.

M: +973 38880953 T: +973 17220094 | F: +973 17228899

Email: <mailto:bijun@fakhro.com> bijun@fakhro.com | Web Site: <http://www.fe.bh/> www.fe.bh

Tomer_Sole · ‎2017-10-08

Hi,

Currently the permission granularity for each administrator is to either:

- show/hide all policies

- show all policies, but only allow editing specific layers (which compose policies)

- admin will be able to see all network objects in the domain that he logs into. You can limit admins from editing all or none of the network objects.

If you wish to completely hide some policy packages from some administrators while letting them view and also edit the other policies, in R80.10 your solution can be either:

- Multi-Domain deployment which separates the policies and their associated network objects and gateways to different domains

- Build a personal editing portal, leverage the R80.10 API and facilitate specific permissions model for your teams.

These are the options for R80.10. We have roadmap plans to introduce more fine-grained permission capabilities. As always we are open for feedback on this.

Sergio_Lima1 · ‎2019-05-21

hello all

I've been added a profile to restrict users to view and specific domain on MDS, selected all that we want to available to view but, I don't want users on this profile to view any configuration applied on gateways itself. How can I limit this on profile that I've created?

Are you a member of CheckMates?

Restricting the Acces on Policy package