This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
shenaitejas
Participant
‎2022-10-20 02:51 AM
Jump to solution

Admin access to only specific gateway

Hi Team,

I have two user in smart console and both having read/write access.Also i have 2 gateways as A and B so is it possible to configure admin 1 can change policies of only gateway A and admin 2 can change only policies of gateway B.If yes please let me know.

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
Tal_Paz-Fridman
Employee
Employee
‎2022-10-20 08:22 AM
Jump to solution

You'll need to to assign a Permission Profile for each administrator, then attach that Profile to the relevant Policy Layer (part of the overall Policy). Here are the general steps:

1| For each Administrator define a different Read/Write Permission Profile (even if the actual settings are identical).

2| Define two Policy Packages - one for each Security Gateway

3| The Policy Package is made of the specific Policy Layers, so assign each one with the relevant Permission Profile:

Menu > Manage policies and layers > layers > Access Control > Select the Layer name belonging to the Policy > Edit > Permissions

4| Add the relevant Permission Profiles

 

The end result is two policies that can be changed only by the relevant administrator.

 

2022-10-20 18_20_28-Layer Editor.png

View solution in original post

12 Replies
Tal_Paz-Fridman
Employee
Employee
‎2022-10-20 08:22 AM
Jump to solution

You'll need to to assign a Permission Profile for each administrator, then attach that Profile to the relevant Policy Layer (part of the overall Policy). Here are the general steps:

1| For each Administrator define a different Read/Write Permission Profile (even if the actual settings are identical).

2| Define two Policy Packages - one for each Security Gateway

3| The Policy Package is made of the specific Policy Layers, so assign each one with the relevant Permission Profile:

Menu > Manage policies and layers > layers > Access Control > Select the Layer name belonging to the Policy > Edit > Permissions

4| Add the relevant Permission Profiles

 

The end result is two policies that can be changed only by the relevant administrator.

 

2022-10-20 18_20_28-Layer Editor.png

PhoneBoy
Admin
Admin
‎2022-10-20 12:11 PM
In response to Tal_Paz-Fridman
Jump to solution

One caveat with this approach: both administrators will have access to edit the underlying objects, which can affect policies on both gateways.
For true separation of duties where each gateway has its own set of objects modifiable only by the relevant administrator, you need Multi-Domain.

0 Kudos
jennyado
Collaborator
‎2025-04-14 05:45 PM
In response to PhoneBoy
Jump to solution

I applied this configuration to create a Permission Profile (Profile1example) and associated it with the Access Control and Threat Prevention Layers of a Policy Package (PP_example). Is it normal for the user with Profile1example permissions to be able to see the other Policy Packages even if they don't have the Profile permission configured in the Layer Editor?

This is my question because I created a user who has Profile1example associated and can still see the other Policy Packages. Expectedly, they would only see PP_example and only be able to configure and edit that policy.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-04-15 02:30 AM
In response to jennyado
Jump to solution

Are they able to edit the policy package or only to view it in detail ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
jennyado
Collaborator
‎2025-04-15 08:29 AM
In response to G_W_Albrecht
Jump to solution

It doesn't allow me to edit the other policies, just view them. We can see the details of the other policy packages, and I also see that clicking the "Install Policy" button displays the window to proceed with the installation. I didn't continue testing to confirm if it allows me to install the policy, but I assume it would.


0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-15 05:16 AM
In response to jennyado
Jump to solution

As far as I know, yes, this is expected behavior.

jennyado
Collaborator
‎2025-04-15 08:32 AM
In response to PhoneBoy
Jump to solution

Is it normal to be allowed to proceed with the installation of the other policies?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-15 09:07 AM
In response to jennyado
Jump to solution

Install Policy is a separate permission:

image.png

While I haven't checked it, I assume if they have this permission, they can install ANY policy.
If you need that level of separation, you will need to use Multi-Domain.

jennyado
Collaborator
‎2025-04-15 09:17 AM
In response to PhoneBoy
Jump to solution

So, with Multi-Domain, I can restrict a user or group of users (by associating a profile with them) from seeing only one specific policy, right? If there are, for example, three policies, they can only see and modify one of those three in this scenario.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-15 09:32 AM
In response to jennyado
Jump to solution

Not exactly as the permission profiles work exactly the same in Multi-Domain (i.e. they have the same limitations).

What you can do in Multi-Domain is put the gateways and policies in separate management domains.
This "management domain" is similar to a standalone management server, including separate objects, policies, and logs. 
You can grant access to these management domains per admin as required.
You can create global objects/rules that apply across the management domains also.

 

0 Kudos
the_rock
Legend
Legend
‎2022-10-20 09:40 AM
Jump to solution

@Tal_Paz-Fridman gave you perfect response.

0 Kudos
shenaitejas
Participant
‎2022-10-21 07:27 AM
Jump to solution

Thank you all..I will check it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events