Solved: Re: Admin access to only specific gateway

shenaitejas · ‎2022-10-20

Hi Team,

I have two user in smart console and both having read/write access.Also i have 2 gateways as A and B so is it possible to configure admin 1 can change policies of only gateway A and admin 2 can change only policies of gateway B.If yes please let me know.

Thanks in advance.

Tal_Paz-Fridman · ‎2022-10-20

You'll need to to assign a Permission Profile for each administrator, then attach that Profile to the relevant Policy Layer (part of the overall Policy). Here are the general steps:

1| For each Administrator define a different Read/Write Permission Profile (even if the actual settings are identical).

2| Define two Policy Packages - one for each Security Gateway

3| The Policy Package is made of the specific Policy Layers, so assign each one with the relevant Permission Profile:

Menu > Manage policies and layers > layers > Access Control > Select the Layer name belonging to the Policy > Edit > Permissions

4| Add the relevant Permission Profiles

The end result is two policies that can be changed only by the relevant administrator.

View solution in original post

Tal_Paz-Fridman · ‎2022-10-20

You'll need to to assign a Permission Profile for each administrator, then attach that Profile to the relevant Policy Layer (part of the overall Policy). Here are the general steps:

1| For each Administrator define a different Read/Write Permission Profile (even if the actual settings are identical).

2| Define two Policy Packages - one for each Security Gateway

3| The Policy Package is made of the specific Policy Layers, so assign each one with the relevant Permission Profile:

Menu > Manage policies and layers > layers > Access Control > Select the Layer name belonging to the Policy > Edit > Permissions

4| Add the relevant Permission Profiles

The end result is two policies that can be changed only by the relevant administrator.

PhoneBoy · ‎2022-10-20

One caveat with this approach: both administrators will have access to edit the underlying objects, which can affect policies on both gateways.
For true separation of duties where each gateway has its own set of objects modifiable only by the relevant administrator, you need Multi-Domain.

jennyado

I applied this configuration to create a Permission Profile (Profile1example) and associated it with the Access Control and Threat Prevention Layers of a Policy Package (PP_example). Is it normal for the user with Profile1example permissions to be able to see the other Policy Packages even if they don't have the Profile permission configured in the Layer Editor?

This is my question because I created a user who has Profile1example associated and can still see the other Policy Packages. Expectedly, they would only see PP_example and only be able to configure and edit that policy.

G_W_Albrecht

Are they able to edit the policy package or only to view it in detail ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

jennyado

It doesn't allow me to edit the other policies, just view them. We can see the details of the other policy packages, and I also see that clicking the "Install Policy" button displays the window to proceed with the installation. I didn't continue testing to confirm if it allows me to install the policy, but I assume it would.

PhoneBoy

As far as I know, yes, this is expected behavior.

jennyado

Is it normal to be allowed to proceed with the installation of the other policies?

PhoneBoy

Install Policy is a separate permission:

While I haven't checked it, I assume if they have this permission, they can install ANY policy.
If you need that level of separation, you will need to use Multi-Domain.

jennyado

So, with Multi-Domain, I can restrict a user or group of users (by associating a profile with them) from seeing only one specific policy, right? If there are, for example, three policies, they can only see and modify one of those three in this scenario.

PhoneBoy

Not exactly as the permission profiles work exactly the same in Multi-Domain (i.e. they have the same limitations).

What you can do in Multi-Domain is put the gateways and policies in separate management domains.
This "management domain" is similar to a standalone management server, including separate objects, policies, and logs.
You can grant access to these management domains per admin as required.
You can create global objects/rules that apply across the management domains also.

the_rock · ‎2022-10-20

@Tal_Paz-Fridman gave you perfect response.

shenaitejas · ‎2022-10-21

Thank you all..I will check it.

Are you a member of CheckMates?

Admin access to only specific gateway