Managing Users, Roles and their Permissions
Harmony Email & Collaboration is hosted on the Infinity Portal, a web-based interface that hosts Check Point's security SaaS services. Therefore, all administrators with access to the Harmony Email & Collaboration are managed globally in the Infinity Portal.
For more information about managing users, user groups, authentication and Single Sign-On, see Infinity Portal Administration Guide.
Roles and Permissions
Each Infinity Portal user is assigned two types of roles:
-
Global Role – Default role for every application in the Infinity Portal.
-
Specific Service Role – Roles that are specific for a service. These roles are an addition to the global roles and do not override them.
|
Note - Only users assigned with an Admin Global Role can add users, delete users and modify their permissions. |
For more information about roles, see Infinity Portal Administration Guide.
Specific Service Roles
Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.
Harmony Email & Collaboration supports two types of Specific Service Roles and allows administrators to define custom roles for users.
-
Base roles
-
Modified Permissions
For more information about modified permissions, see Modified Permissions.
Available Specific Service Roles:
Role |
SaaS Applications |
SaaS Applications and Security Engines |
Policy Rules |
Custom Queries |
Events, Quarantine, and Exceptions |
Sensitive Data * |
---|---|---|---|---|---|---|
Base Roles |
||||||
Admin |
View and connect or disconnect |
View and configure |
View and configure |
View, edit, and take actions |
View, edit, and take actions |
Can't view (explicit permissions required) |
Read-Only |
Can not view |
Can not view |
Can not view |
View-Only |
View-Only |
Can't view (explicit permissions required) |
Help Desk |
Can not view |
Can not view |
Can not view |
View and edit (no actions) |
View and take actions |
Can't view (explicit permissions required) |
Custom Roles
Harmony Email & Collaboration allows administrators to create custom roles, define specific access levels for users across different pages, and manage the receipt of notifications and reports.
Creating and Editing a Custom Role
To create a new custom role:
-
Access the Harmony Email & Collaboration Administrator Portal.
-
Go to System Settings > Roles.
-
Click Add New Role or select an existing one to clone it.
-
In the Name field, enter the desired name.
-
In the Description field, enter the description for the role.
-
In the Permissions section, select the required permissions for the role. See Custom Roles – Configurable Permissions .
-
Click Save.
To edit a custom role:
1. Go to System Settings > Roles.
2. Select the existing role you want to edit and click the three-dot menu.
3. In the View Role page that appears, modify the required fields and permission. See Custom Roles – Configurable Permissions .
4. Click Save.
Custom Roles – Configurable Permissions
Harmony Email & Collaboration allows you to create custom roles by defining access permissions for various interface pages and managing access to additional features such as notifications and sensitive data.
Permissions for Interface Pages
Harmony Email & Collaboration allows you to configure access levels for various interface pages while defining a custom role using the following options:
1. Hidden – Allows the user to view the page.
2. View – Allows the user to only view the page and export data, but cannot take actions on events, emails, or files etc.
3. View and Actions – Allows the user to perform any available actions in the page.
|
Note - Some actions are available from multiple interface pages. For example:
|
You can configure user access to the following sections in the interface:
Interface Page |
Description |
Available Settings |
---|---|---|
Overview |
Access to the Overview page |
Hidden, View, View and Actions |
Events |
Access to the Events page |
Hidden, View, View and Actions |
Entity Pages |
Access to Entity Pages, including the details of individual emails, files, attachments, messages, users etc. |
|
Sensitive Data |
Access to sensitive data, including email bodies, downloading emails as EML files, shared files, sent messages, and viewing strings from emails, files, or messages flagged as DLP violations. |
|
Mail Explorer and Custom Queries |
Access to the Mail Explorer page and Custom Queries |
Hidden, View, View and Actions |
User Interaction |
||
Dashboard |
Access to the Dashboard page |
Hidden, View, View and Actions |
Restore Requests |
Access to the Restore Requests page |
Hidden, View, View and Actions |
Phishing Reports |
Access to the Phishing Reports page |
Hidden, View, View and Actions |
Quarantined Items |
Access to the Quarantined Items page |
Hidden, View, View and Actions |
Modified Attachments |
Access to the Modified Attachments page |
Hidden, View, View and Actions |
Smart Banners |
Access to the Smart Banners page |
Hidden, View, View and Actions |
Analytics |
||
Dashboard |
Access to the Dashboard page |
Hidden, View, View and Actions |
Partner Risk |
Access to the Partner Risk page |
Hidden, View, View and Actions |
Shadow IT |
Access to the Shadow IT page |
Hidden, View, View and Actions |
Security Checkup |
Access to the Security Checkup page |
Hidden, View, View and Actions |
Report Scheduler |
Access to the Report Scheduler page |
Hidden, View, View and Actions |
Summary Report |
Access to the Summary Report page |
Hidden, View, View and Actions |
Periodic Reports |
Access to the Periodic Reports page |
Hidden, View, View and Actions |
Security Training |
||
Dashboard |
Access to the Dashboard page |
|
Policy |
Access to the Policy page |
|
DMARC |
Access to the DMARC page |
Hidden, View, View and Actions |
Policy |
Access to the Policy page |
Hidden, View, View and Actions |
Security Settings |
||
SaaS Applications |
Access to the SaaS Applications page |
Hidden, View, View and Actions |
Security Engines |
Access to the Security Engines page |
Hidden, View, View and Actions |
DLP Data Types |
Access to the DLP Data Types page |
Hidden, View, View and Actions |
Security Exceptions |
Access to the Security Exceptions page |
Hidden, View, View and Actions |
User Interaction Settings |
Access to the User Interaction Settings page |
Hidden, View, View and Actions |
System Settings |
||
Roles |
Access to the Roles page |
Hidden, View, View and Actions |
Others – all other pages under System Settings |
Access to all other pages in the System Settings section |
Hidden, View, View and Actions |
Custom Role for Notification Settings
Harmony Email & Collaboration allows you to configure the following settings in the Notifications section while defining a custom role:
Permission |
Description |
Available Settings |
||
---|---|---|---|---|
Overview |
User will receive notifications from the system. |
|
||
Events |
User will receive alerts from the system.
|
|
||
Checkup report |
User will receive scheduled Security Checkup reports. |
|
Assigning Roles to Users and Groups
Harmony Email & Collaboration allows you to assign Global Role and Specific Service Roles, including custom roles, to individual users, custom groups, or groups in Active Directory, Entra ID, or other IDP groups.
For more information, see Infinity Portal Administration Guide.
Conflicts Between Specific Service Roles and Global Roles
Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.
Example 1: A user has Read-Only global role in the Infinity Portal and is assigned Admin role specifically for Harmony Email & Collaboration. This allows the user to be an administrator responsible for Harmony Email & Collaboration service, while this user has only Read-Only access to other services.
Example 2: A user has Admin global role in the Infinity Portal and is assigned Read-Only role specifically for Harmony Email & Collaboration. Then the user gets the permissions of the Admin role.
|
Note - It is recommended to always assign a base role to a user. If a specific permission is assigned to a user, the system automatically assigns this user with the Read-Only role. |
Automatically Added Custom Roles
Before May 2025, administrators used to assign modified permissions to each user or group from the following options instead of defining granular custom roles.
Permission |
Description |
|||||||
---|---|---|---|---|---|---|---|---|
Disable Receiving Weekly Reports |
The user will not receive Security Checkup reports. |
|||||||
Receive Alerts |
Sends email alerts to users with this role.
|
|||||||
View Sensitive Data only if Threats are Found |
Allows the user to access the sensitive data* only for emails/files/messages flagged as containing threats. |
|||||||
View Policy |
Allows the user to view the policy rules and does not allow to edit the rules. |
|||||||
View and Edit Policy |
Allows the user to view, create and edit the policy rules. |
|||||||
View All Sensitive Data |
Allows the user to access sensitive data*. |
|||||||
If None are Assigned |
By default, all users regardless of the role, has these permissions:
|
|||||||
* Sensitive data includes email body, ability to download email as an EML file, ability to download shared files and sent messages, and viewing strings from emails/files/messages caught as DLP violations. |
When the Custom Role feature is released, if any users have one of these modified permissions, the system automatically creates and assigns a custom role to them. As a result, you may see the following predefined custom roles in your system, even if you didn’t create them in the Roles page:
-
View Only with Detections
-
View Also Without Detections
-
Alerts
-
Checkup Reports
-
View and Edit Policy
-
View Policy
For example, if an user is configured with the Receive Alerts permission and the Custom Role feature is enabled, the system automatically creates the Alerts role on the Roles page and assigns it to the user.
You can remove these roles if they are unnecessary. However, ensure that other roles in your system provide the necessary permissions for all users before removing them.