Managing Users, Roles and their Permissions

Harmony Email & Collaboration is hosted on the Infinity Portal, a web-based interface that hosts Check Point's security SaaS services. Therefore, all administrators with access to the Harmony Email & Collaboration are managed globally in the Infinity Portal.

For more information about managing users, user groups, authentication and Single Sign-On, see Infinity Portal Administration Guide.

Roles and Permissions

Each Infinity Portal user is assigned two types of roles:

  • Global Role – Default role for every application in the Infinity Portal.

  • Specific Service Role – Roles that are specific for a service. These roles are an addition to the global roles and do not override them.

Note - Only users assigned with an Admin Global Role can add users, delete users and modify their permissions.

For more information about roles, see Infinity Portal Administration Guide.

Specific Service Roles

Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.

Harmony Email & Collaboration supports two types of Specific Service Roles and allows administrators to define custom roles for users.

  • Base roles

  • Modified Permissions

    For more information about modified permissions, see Modified Permissions.

Available Specific Service Roles:

Role

SaaS Applications

SaaS Applications and Security Engines

Policy Rules

Custom Queries

Events, Quarantine, and Exceptions

Sensitive Data *

Base Roles

Admin

View and connect or disconnect

View and configure

View and configure

View, edit, and take actions

View, edit, and take actions

Can't view (explicit permissions required)

Read-Only

Can not view

Can not view

Can not view

View-Only

View-Only

Can't view (explicit permissions required)

Help Desk

Can not view

Can not view

Can not view

View and edit (no actions)

View and take actions

Can't view (explicit permissions required)

Custom Roles

Harmony Email & Collaboration allows administrators to create custom roles, define specific access levels for users across different pages, and manage the receipt of notifications and reports.

Creating and Editing a Custom Role

To create a new custom role:

  1. Access the Harmony Email & Collaboration Administrator Portal.

  2. Go to System Settings > Roles.

  3. Click Add New Role or select an existing one to clone it.

  4. In the Name field, enter the desired name.

  5. In the Description field, enter the description for the role.

  6. In the Permissions section, select the required permissions for the role. See Custom Roles – Configurable Permissions .

  7. Click Save.

To edit a custom role:

1. Go to System Settings > Roles.

2. Select the existing role you want to edit and click the three-dot menu.

3. In the View Role page that appears, modify the required fields and permission. See Custom Roles – Configurable Permissions .

4. Click Save.

Custom Roles – Configurable Permissions

Harmony Email & Collaboration allows you to create custom roles by defining access permissions for various interface pages and managing access to additional features such as notifications and sensitive data.

Permissions for Interface Pages

Harmony Email & Collaboration allows you to configure access levels for various interface pages while defining a custom role using the following options:

1. Hidden – Allows the user to view the page.

2. View – Allows the user to only view the page and export data, but cannot take actions on events, emails, or files etc.

3. View and Actions – Allows the user to perform any available actions in the page.

Note - Some actions are available from multiple interface pages. For example:

  • Users can quarantine an email from both User Interaction > Phishing Reports and Events page.

  • If a user have only View permission to the User Interaction > Phishing Reports, they cannot quarantine emails from that page.

  • If a user have View and Actions permission for Events page, they can quarantine emails from that page.

You can configure user access to the following sections in the interface:

Interface Page

Description

Available Settings

Overview

Access to the Overview page

Hidden, View, View and Actions

Events

Access to the Events page

Hidden, View, View and Actions

Entity Pages

Access to Entity Pages, including the details of individual emails, files, attachments, messages, users etc.

  • Hidden

  • View only with detections (User can view sensitive data only when the system detects the entity as malicious or a DLP leak)

  • View also without detections

 

Sensitive Data

Access to sensitive data, including email bodies, downloading emails as EML files, shared files, sent messages, and viewing strings from emails, files, or messages flagged as DLP violations.

Mail Explorer and Custom Queries

Access to the Mail Explorer page and Custom Queries

Hidden, View, View and Actions

User Interaction

Dashboard

Access to the Dashboard page

Hidden, View, View and Actions

Restore Requests

Access to the Restore Requests page

Hidden, View, View and Actions

Phishing Reports

Access to the Phishing Reports page

Hidden, View, View and Actions

Quarantined Items

Access to the Quarantined Items page

Hidden, View, View and Actions

Modified Attachments

Access to the Modified Attachments page

Hidden, View, View and Actions

Smart Banners

Access to the Smart Banners page

Hidden, View, View and Actions

Analytics

Dashboard

Access to the Dashboard page

Hidden, View, View and Actions

Partner Risk

Access to the Partner Risk page

Hidden, View, View and Actions

Shadow IT

Access to the Shadow IT page

Hidden, View, View and Actions

Security Checkup

Access to the Security Checkup page

Hidden, View, View and Actions

Report Scheduler

Access to the Report Scheduler page

Hidden, View, View and Actions

Summary Report

Access to the Summary Report page

Hidden, View, View and Actions

Periodic Reports

Access to the Periodic Reports page

Hidden, View, View and Actions

Security Training

Dashboard

Access to the Dashboard page

  • Hidden

  • View

  • View and export

  • View, export and import

Policy

Access to the Policy page

  • Hidden

  • View

  • View and export

  • View, export and import

DMARC

Access to the DMARC page

Hidden, View, View and Actions

Policy

Access to the Policy page

Hidden, View, View and Actions

Security Settings

SaaS Applications

Access to the SaaS Applications page

Hidden, View, View and Actions

Security Engines

Access to the Security Engines page

Hidden, View, View and Actions

DLP Data Types

Access to the DLP Data Types page

Hidden, View, View and Actions

Security Exceptions

Access to the Security Exceptions page

Hidden, View, View and Actions

User Interaction Settings

Access to the User Interaction Settings page

Hidden, View, View and Actions

System Settings

Roles

Access to the Roles page

Hidden, View, View and Actions

Others – all other pages under System Settings

Access to all other pages in the System Settings section

Hidden, View, View and Actions

Custom Role for Notification Settings

Harmony Email & Collaboration allows you to configure the following settings in the Notifications section while defining a custom role:

Permission

Description

Available Settings

Overview

User will receive notifications from the system.

  • Receive

  • Don’t receive

Events

User will receive alerts from the system.

Note - Even when this role is applied, the user receives email alerts for security events only when Send alerts to admins is selected in the policy

  • Receive

  • Don’t receive

Checkup report

User will receive scheduled Security Checkup reports.

  • Receive

  • Don’t receive

Assigning Roles to Users and Groups

Harmony Email & Collaboration allows you to assign Global Role and Specific Service Roles, including custom roles, to individual users, custom groups, or groups in Active Directory, Entra ID, or other IDP groups.

For more information, see Infinity Portal Administration Guide.

Conflicts Between Specific Service Roles and Global Roles

Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.

Example 1: A user has Read-Only global role in the Infinity Portal and is assigned Admin role specifically for Harmony Email & Collaboration. This allows the user to be an administrator responsible for Harmony Email & Collaboration service, while this user has only Read-Only access to other services.

Example 2: A user has Admin global role in the Infinity Portal and is assigned Read-Only role specifically for Harmony Email & Collaboration. Then the user gets the permissions of the Admin role.

Note - It is recommended to always assign a base role to a user. If a specific permission is assigned to a user, the system automatically assigns this user with the Read-Only role.

Automatically Added Custom Roles

Before May 2025, administrators used to assign modified permissions to each user or group from the following options instead of defining granular custom roles.

Permission

Description

Modified Permissions

Disable Receiving Weekly Reports

The user will not receive Security Checkup reports.

Receive Alerts

Sends email alerts to users with this role.

Note - Even when this role is applied, the user receives email alerts for security events only when Send alerts to admins is selected in the policy.

View Sensitive Data only if Threats are Found

Allows the user to access the sensitive data* only for emails/files/messages flagged as containing threats.

View Policy

Allows the user to view the policy rules and does not allow to edit the rules.

View and Edit Policy

Allows the user to view, create and edit the policy rules.

View All Sensitive Data

Allows the user to access sensitive data*.

If None are Assigned

By default, all users regardless of the role, has these permissions:

  • No access to sensitive data

  • Does not receives alerts

  • Receive Security Checkup reports

* Sensitive data includes email body, ability to download email as an EML file, ability to download shared files and sent messages, and viewing strings from emails/files/messages caught as DLP violations.

When the Custom Role feature is released, if any users have one of these modified permissions, the system automatically creates and assigns a custom role to them. As a result, you may see the following predefined custom roles in your system, even if you didn’t create them in the Roles page:

  • View Only with Detections

  • View Also Without Detections

  • Alerts

  • Checkup Reports

  • View and Edit Policy

  • View Policy

For example, if an user is configured with the Receive Alerts permission and the Custom Role feature is enabled, the system automatically creates the Alerts role on the Roles page and assigns it to the user.

You can remove these roles if they are unnecessary. However, ensure that other roles in your system provide the necessary permissions for all users before removing them.