Managing Users, Roles and their Permissions

Harmony Email & Collaboration is hosted on the Infinity Portal, a web-based interface that hosts Check Point's security SaaS services. Therefore, all administrators with access to the Harmony Email & Collaboration are managed globally in the Infinity Portal.

For more information about managing users, user groups, authentication and Single Sign-On, see Infinity Portal Administration Guide.

Roles and Permissions

Each Infinity Portal user is assigned two types of roles:

Global Role – Default role for every application in the Infinity Portal.
Specific Service Role – Roles that are specific for a service. These roles are an addition to the global roles and do not override them.

Note - Only users assigned with an Admin Global Role can add users, delete users and modify their permissions.

For more information about roles, see Infinity Portal Administration Guide.

Specific Service Roles

Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.

Harmony Email & Collaboration supports two types of Specific Service Roles:

Base roles
Modified Permissions

Available Specific Service Roles:

Role

SaaS Applications

SaaS Applications and Security Engines

Policy Rules

Custom Queries

Events, Quarantine, and Exceptions

Sensitive Data *

Base Roles

Admin

View and connect or disconnect

View and configure

View, edit, and take actions

Can't view (explicit permissions required)

Read-Only

Can not view

View-Only

Can't view (explicit permissions required)

Help Desk

Can not view

View and edit (no actions)

View and take actions

Can't view (explicit permissions required)

Modified Permissions

Disable Receiving Weekly Reports

The user will not receive Security Checkup reports.

Receive Alerts

Sends email alerts to users with this role.

Note - Even when this role is applied, the user receives email alerts for security events only when Send alerts to admins is selected in the policy.

View Sensitive Data only if Threats are Found

Allows the user to access the sensitive data* only for emails/files/messages flagged as containing threats.

View Policy

Allows the user to view the policy rules and does not allow to edit the rules.

View and Edit Policy

Allows the user to view, create and edit the policy rules.

View All Sensitive Data

Allows the user to access sensitive data*.

If None are Assigned

By default, all users regardless of the role, has these permissions:

No access to sensitive data
Does not receives alerts
Receive Security Checkup reports

* Sensitive data includes email body, ability to download email as an EML file, ability to download shared files and sent messages, and viewing strings from emails/files/messages caught as DLP violations.

To assign Specific Service Roles to a user:

Click > Users.
If the user is available in the Infinity Portal, select the user and click Edit.
If you want to add a new user and assign the roles, click New. For more details, see Infinity Portal Administration Guide.
Click Specific Service Roles and add the required permissions.
Click Save.

Conflicts Between Specific Service Roles and Global Roles

Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.

Example 1: A user has Read-Only global role in the Infinity Portal and is assigned Admin role specifically for Harmony Email & Collaboration. This allows the user to be an administrator responsible for Harmony Email & Collaboration service, while this user has only Read-Only access to other services.

Example 2: A user has Admin global role in the Infinity Portal and is assigned Read-Only role specifically for Harmony Email & Collaboration. Then the user gets the permissions of the Admin role.

Note - It is recommended to always assign a base role to a user. If a modified permission is assigned to a user, the system automatically assigns this user with the Read-Only role.