Managing Users, Roles and their Permissions
Harmony Email & Collaboration is hosted on the Infinity Portal, a web-based interface that hosts Check Point's security SaaS services. Therefore, all administrators with access to the Harmony Email & Collaboration are managed globally in the Infinity Portal.
For more information about managing users, user groups, authentication and Single Sign-On, see Infinity Portal Administration Guide.
Roles and Permissions
Each Infinity Portal user is assigned two types of roles:
-
Global Role – Default role for every application in the Infinity Portal.
-
Specific Service Role – Roles that are specific for a service. These roles are an addition to the global roles and do not override them.
|
Note - Only users assigned with an Admin Global Role can add users, delete users and modify their permissions. |
For more information about roles, see Infinity Portal Administration Guide.
Specific Service Roles
Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.
Harmony Email & Collaboration supports two types of Specific Service Roles:
-
Base roles
-
Modified Permissions
Available Specific Service Roles:
Role |
SaaS Applications |
SaaS Applications and Security Engines |
Policy Rules |
Custom Queries |
Events, Quarantine, and Exceptions |
Sensitive Data * |
||
---|---|---|---|---|---|---|---|---|
Base Roles |
||||||||
Admin |
View and connect or disconnect |
View and configure |
View and configure |
View, edit, and take actions |
View, edit, and take actions |
Can't view (explicit permissions required) |
||
Read-Only |
Can not view |
Can not view |
Can not view |
View-Only |
View-Only |
Can't view (explicit permissions required) |
||
Help Desk |
Can not view |
Can not view |
Can not view |
View and edit (no actions) |
View and take actions |
Can't view (explicit permissions required) |
||
Disable Receiving Weekly Reports |
The user will not receive Security Checkup reports. |
|||||||
Receive Alerts |
Sends email alerts to users with this role.
|
|||||||
View Sensitive Data only if Threats are Found |
Allows the user to access the sensitive data* only for emails/files/messages flagged as containing threats. |
|||||||
View Policy |
Allows the user to view the policy rules and does not allow to edit the rules. |
|||||||
View and Edit Policy |
Allows the user to view, create and edit the policy rules. |
|||||||
View All Sensitive Data |
Allows the user to access sensitive data*. |
|||||||
If None are Assigned |
By default, all users regardless of the role, has these permissions:
|
|||||||
* Sensitive data includes email body, ability to download email as an EML file, ability to download shared files and sent messages, and viewing strings from emails/files/messages caught as DLP violations. |
To assign Specific Service Roles to a user:
-
Click > Users.
-
If the user is available in the Infinity Portal, select the user and click Edit.
-
If you want to add a new user and assign the roles, click New. For more details, see Infinity Portal Administration Guide.
-
Click Specific Service Roles and add the required permissions.
-
Click Save.
Conflicts Between Specific Service Roles and Global Roles
Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.
Example 1: A user has Read-Only global role in the Infinity Portal and is assigned Admin role specifically for Harmony Email & Collaboration. This allows the user to be an administrator responsible for Harmony Email & Collaboration service, while this user has only Read-Only access to other services.
Example 2: A user has Admin global role in the Infinity Portal and is assigned Read-Only role specifically for Harmony Email & Collaboration. Then the user gets the permissions of the Admin role.
|
Note - It is recommended to always assign a base role to a user. If a modified permission is assigned to a user, the system automatically assigns this user with the Read-Only role. |