Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ivo_Hrbacek
Contributor
Contributor

permission profiles

hi, is there any progress with permission profiles?

current needs :

1. if there is sub policy for group of admins, I would like to see that admins can see just this policy, not all policies in read only mode 

2. I would like to see in profile settings  possibility to grand GUI visibility only to security policies section (or maybe logs) but not to gateways and servers ->->

3. because in current settings, when you disable all settings and you left below settings, admin can add rules, but can not modify objects, when you change Common Objects to write, user can change settings of gateways and servers (everything - add interface, change blades etc.)

This is not so good, is there any vision how this behavior will change in future releases?  At least no.1 should be implemented asap 😛

 

iScreenshot from 2020-03-06 15-30-52.pngScreenshot from 2020-03-06 15-30-27.png

 

 

 

4 Replies
PhoneBoy
Admin
Admin

With SmartTasks in R80.40, you can actually prevent certain admins from making certain changes to certain objects with specific tags.
Specifically it is blocked at the Publish stage which means the changes will not take effect.
In fact, we published an example of this yesterday!
https://community.checkpoint.com/t5/General-Management-Topics/SmartTask-Custom-Permissions/m-p/77247...
0 Kudos
Ivo_Hrbacek
Contributor
Contributor

thx, i will give it a try anyway you know how it works, sometimes you really need that admins see just own policy, not all policies in read only mode, from security/ process/etc. perspective you need to hide all other rules from all admins with account on mgmt.. and this should be considered by r&d to bring that possibility directly into permission profile I think..

0 Kudos
PhoneBoy
Admin
Admin

If you really need to separate policies and objects, consider using Multi-Domain.
This will allow completely separate policies/objects for different admins managing different gateways.
0 Kudos
Ivo_Hrbacek
Contributor
Contributor

hi, I do not need to separate objects or policies on MDS level, consider you have customer with few clusters and one mgmt server, on perimetr you can have sub policies (inlines) for lets say DMZ services and we need to have possibility assign profiles to those inlines just for concrete admins, but they must see just this policy, not all other in read only mode. MDS is not a solution for this case, first in smaller infra you do not need it actually, you have perm. profiles, second you wanna have inlines in parent policy defined, MDS wont fix this because imline its actually linked to parent policy and one perimeter cluster for example (objects can be shared or as you mentioned I can use smart tasks to limit modification of classic objects - hosts/networks/groups etc.)..

R&D should consider this fact, that permission profiles missing this important possibility, to limit visibility just for concrete policy(sub-policy aka inline) where admin is defined...change on GUI level should not be so complicated from code perspective, just if else where you check if admin is defined in permission profile, if yes he can see policy where this permission profile is defined, if not, he can not see this policy...

thx

ivo

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events