Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eugene_Brown
Participant
Jump to solution

Restrict access to specific policies

Is it possible to restrict SmartConsole administrators to only access specific policies?

I would like to be able to create read-only SmartConsole users that have access to only specific access rule policies (and NATs) in on domain.

I am using MDS R80.10

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Hi, currently with R80.10 you can limit the editing to specific access control layers.

Showing or hiding specific policies with R80.10 is a matter of all-or-nothing. If you use a Multi-Domain Management server you can restrict entire domain from administrators, but you cannot hide some of the policies and show the others in the same domain.

Hope this helps

View solution in original post

10 Replies
ED
Advisor

I have not tested it but you could try following:

1. Create a new permission profile. Manage & settings > Permissions & Administrators > Permission profiles. Create a new with something like this:

Disable (remove the check mark) on most of the other settings. 

2. Create a new administrator and assign the newly created permissions profile from step 1. 

3. Open a security policy > Right click on Policy > Edit policy > Network  > Drop down menu on right > Edit layer > Permissions > Select additional profiles thatt will be able to edit this layer. Select the profile we created in step 1. 

Eugene_Brown
Participant

Enis, your method is similar to how I tried before submitting the question. I've tried your method exactly and got further, but my new profile just shows as an option to edit (rather than view) the Access Control layer.

0 Kudos
ED
Advisor

Yeah I see it now, it was a bad suggestion from me because it says with this sentence "Select additional profiles that will be able to edit this layer". It only gives you ability to edit and that is not what you want. It's like Tomer said, all or nothing Smiley Happy 

Tomer_Sole
Mentor
Mentor

or move that to a Domain (Multi-Domain Management)

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi, currently with R80.10 you can limit the editing to specific access control layers.

Showing or hiding specific policies with R80.10 is a matter of all-or-nothing. If you use a Multi-Domain Management server you can restrict entire domain from administrators, but you cannot hide some of the policies and show the others in the same domain.

Hope this helps

Eugene_Brown
Participant

That's what I was afraid of, but thanks for confirming. I guess we'll need a specific domain, or use another tool (i.e. Firemon) to provide read only access.

AVIAD_BITON
Explorer

Hi Tomer,

Is it in your road-map to develop the option for newer versions? - it is very basic demand for customer that are not bigger enough to use Multi Domain Manager but still have some sites with IT/SEC team that they want to give them access for their specific site to allow access for their users on regular basis.

Best Regards,

Aviad

Maarten_Sjouw
Champion
Champion
For this type of setup you should be able to create a plociy with a layer per location, in the layer itself you can set permissions.
Regards, Maarten
0 Kudos
genisis__
Leader Leader
Leader

I'm interested in this as well,  I would like to restrict read-only access to specific policy files. better still have the ability to add the users into a group (at a MDS level) and the assign permission profile against this group, which then in turn is assigned as read-only to a specific policy file.

 

0 Kudos
Luis_Miguel_Mig
Advisor

I think the layer access control for read-only user cases is okay.  However Tomer, is there any chance to develop a bit more the layer access control for write user cases.
I mean, it would be great that the groups already included in a layer could inherit the permission from the layer and allow objects (existent or new) to be added to the group

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events