Managing Users, Roles and their Permissions

Avanan is hosted on the Check Point Portal, a web-based interface that hosts Check Point's security SaaS services. Therefore, administrators that have access to Avanan (or any other Check Point service) are managed globally in the Check Point Portal.

All users and user groups that are protected using Avanan (or any other Check Point solution) are managed globally in the Check Point Portal.

For more information about managing users, user groups, authentication and Single Sign-On, see Check Point Portal Administration Guide.

Roles and Permissions

Each Check Point Portal user is assigned two types of roles:

  • Global Role - Default role for every application within your Check Point Portal.

  • Specific Service Role - Roles that are specific for a service. These roles are an addition to the global roles and do not override them. (For example, only to Avanan).

Note:

Only users assigned with an Admin Global Role can add users, delete users and modify their permissions.

For more information about roles, see Check Point Portal Administration Guide.

Specific Service Roles

Avanan has three out of the box Service Specific Roles - Admin, Help Desk and Read-Only - and administrators can create custom roles to support their company's minimal permissions policy.

For more information about modified permissions, see Modified Permissions.

Out of the box Specific Service Roles:

Role SaaS Applications SaaS Applications and Security Engines Policy Rules Custom Queries Events, Quarantine, and Exceptions Sensitive Data *
Admin View and connect or disconnect View and configure View and configure View, edit, and take actions View, edit, and take actions Cannot view (explicit permissions required)
Read-Only Cannot view Cannot view Cannot view View only View only Cannot view (explicit permissions required)
Help Desk Cannot view Cannot view Cannot view View and edit (no actions) View and take actions Cannot view (explicit permissions required)

Custom Service Specific Roles

Avanan allows administrators to create custom roles, so that different departments and individuals can view and perform only the actions permitted according to company policy.

Creating and Editing a Custom Role

To create a new custom role:

  1. Log in to Check Point Portal and access the Avanan Administrator Portal.

  2. Go to System Settings > Roles.

  3. Click Add New Role or select an existing role to clone it.

  4. In the Name field, enter the desired name.

  5. In the Description field, enter the description.

  6. In the Permissions section, select the required permissions. See Custom Roles - Configurable Permissions.

  7. Click Save.

To edit a custom role:

  1. Go to System Settings > Roles.

  2. Select the existing role you want to edit and click the three-dot menu.

  3. In the View Role page, modify the required fields and permissions. See Custom Roles - Configurable Permissions.

  4. Click Save.

Custom Roles - Configurable Permissions

Avanan allows you to create custom roles by defining access permissions for various interface pages and managing access to additional features such as notifications and sensitive data.

Permissions for Interface Pages

Avanan allows you to configure access levels for various interface pages while defining a custom role using the following options:

  1. Hidden - Hides the page from the user.

  2. View - Allows the user to only view the page and export data, but cannot take actions on events, emails, or files etc.

  3. View and Actions - Allows the user to perform any available actions in the page.

Note:

Some actions are available from multiple interface pages. For example:

  • Users can quarantine an email from both User Interaction > Phishing Reports and Events page.

  • If a user has only View permission to the User Interaction > Phishing Reports, they cannot quarantine emails from that page.

  • If a user has View and Actions permission for Events page, they can quarantine emails from that page.

You can configure user access to the following sections in the interface:

Interface Page Description Available Settings
Overview Access to the Overview page Hidden, View, View and Actions
Events Access to the Events page Hidden, View, View and Actions
Entity Pages Access to entity pages, including details of emails, files, attachments, messages, and users.
  • Hidden

  • View only with detections (user can view sensitive data only when the system detects a malicious entity or a DLP leak)

  • View also without detections

Sensitive Data Access to sensitive data, including email bodies, downloading emails as EML files, shared files, sent messages, and viewing strings flagged as DLP violations.
Mail Explorer and Custom Queries Access to Mail Explorer and Custom Queries Hidden, View, View and Actions
User Interaction
Dashboard Access to the Dashboard page Hidden, View, View and Actions
Restore Requests Access to the Restore Requests page Hidden, View, View and Actions
Phishing Reports Access to the Phishing Reports page Hidden, View, View and Actions
Quarantined Items Access to the Quarantined Items page Hidden, View, View and Actions
Modified Attachments Access to the Modified Attachments page Hidden, View, View and Actions
Smart Banners Access to the Smart Banners page Hidden, View, View and Actions
Analytics
Dashboard Access to the Dashboard page Hidden, View, View and Actions
Partner Risk Access to the Partner Risk page Hidden, View, View and Actions
Shadow IT Access to the Shadow IT page Hidden, View, View and Actions
Security Checkup Access to the Security Checkup page Hidden, View, View and Actions
Report Scheduler Access to the Report Scheduler page Hidden, View, View and Actions
Summary Report Access to the Summary Report page Hidden, View, View and Actions
Periodic Reports Access to the Periodic Reports page Hidden, View, View and Actions
Security Training
Dashboard Access to the Dashboard page
  • Hidden

  • View

  • View and export

  • View, export and import

Policy Access to the Policy page
  • Hidden

  • View

  • View and export

  • View, export and import

DMARC Access to the DMARC page Hidden, View, View and Actions
Policy Access to the Policy page Hidden, View, View and Actions
Security Settings
SaaS Applications Access to the SaaS Applications page Hidden, View, View and Actions
Security Engines Access to the Security Engines page Hidden, View, View and Actions
DLP Data Types Access to the DLP Data Types page Hidden, View, View and Actions
Security Exceptions Access to the Security Exceptions page Hidden, View, View and Actions
User Interaction Settings Access to the User Interaction Settings page Hidden, View, View and Actions
System Settings
Roles Access to the Roles page Hidden, View, View and Actions
Others - all other pages under System Settings Access to all other System Settings pages Hidden, View, View and Actions

Permissions for Notification Settings

Avanan allows you to configure the following settings in the Notifications section while defining a custom role:

Permission Description Available Settings
Overview User receives notifications from the system.
  • Receive

  • Do not receive

Events

User receives alerts from the system.

Note:

Even when this role is applied, the user receives email alerts for security events only when Send alerts to admins is selected in the policy.

  • Receive

  • Do not receive

Checkup report User receives scheduled Security Checkup reports.
  • Receive

  • Do not receive

Assigning Roles to Users and Groups

Avanan allows you to assign Global Role and Specific Service Roles, including custom roles, to individual users, custom groups, or groups in Active Directory, Entra ID, or other IDP groups.

For more information, see Check Point Portal Administration Guide.

Conflicts Between Multiple Assigned Roles

Each user or user group can be assigned multiple Global Roles and multiple service-specific roles (out-of-the-box or custom).

In this case, within Avanan, the user is granted the highest level of permissions from all assigned roles.

Example 1: A user has Read-Only global role in the Check Point Portal and is assigned Admin role specifically for Avanan. This allows the user to be an administrator responsible for Avanan service, while this user has only Read-Only access to other services.

Example 2: A user has Admin global role in the Check Point Portal and is assigned Read-Only role specifically for Avanan. Then the user gets the permissions of the Admin role in Avanan.

Example 3: A user has two custom service specific roles assigned: Custom Role 1 and Custom Role 2. If Custom Role 1 allows performing actions on the Events page and Custom Role 2 hides the Events page, the user will see and be able to perform actions on the Events page.

Additional Custom Roles Available for Veteran Customers

Custom Service Specific Roles were introduced in May 2025. Before May 2025, administrators could assign additional out of the box service specific roles whose sole purpose was to modify some permissions that could not be modified in a different manner:

Permission Description
Modified Permissions
Disable Receiving Weekly Reports The user does not receive Security Checkup reports.
Receive Alerts

Sends email alerts to users assigned this role.

Note:

Even when this role is applied, the user receives email alerts for security events only when Send alerts to admins is selected in the policy.

View Sensitive Data Only if Threats Are Found Allows the user to access sensitive data* only for emails, files, or messages flagged as containing threats.
View Policy Allows the user to view policy rules but not edit them.
View and Edit Policy Allows the user to view, create, and edit policy rules.
View All Sensitive Data Allows the user to access all sensitive data*.
If None Are Assigned

By default, all users, regardless of role, have these permissions:

  • No access to sensitive data

  • Do not receive alerts

  • Receive Security Checkup reports

* Sensitive data Includes email body, ability to download email as an EML file, shared files, sent messages, and viewing strings from emails, files, or messages flagged as DLP violations.

When the Custom Role feature is released, if any users have one of these modified permissions, the system automatically creates and assigns a custom role to them. As a result, you may see the following predefined custom roles in your system, even if you didn't create them in the Roles page:

  • View Only with Detections

  • View Also Without Detections

  • Alerts

  • Checkup Reports

  • View and Edit Policy

  • View Policy

For example, if a user was assigned with the Receive Alerts service-specific role prior to May 2025, an Alerts custom role was automatically created and assigned to that user.

You can remove these roles if they are unnecessary. However, ensure that other roles in your system provide the necessary permissions for all users before removing them.