Managing Users, Roles and their Permissions

Harmony Email & Collaboration is hosted on the Infinity Portal, a web-based interface that hosts Check Point's security SaaS services. Therefore, all administrators with access to the Harmony Email & Collaboration are managed globally in the Infinity Portal.

For more information about managing users, user groups, authentication and Single Sign-On, see Infinity Portal Administration Guide.

Roles and Permissions

Each Infinity Portal user is assigned two types of roles:

  • Global Role – Default role for every application in the Infinity Portal.

  • Specific Service Role – Roles that are specific for a service. These roles are an addition to the global roles and do not override them.

For more information about roles, see Infinity Portal Administration Guide.

Specific Service Roles

Harmony Email & Collaboration supports Specific Service Roles. These roles are an addition to the Global Role and applies only to the specific service on top of the Global Role.

Note - To configure Specific Service Roles in Harmony Email & Collaboration, the administrator must have the Admin role configured in their Global Role.

Example 1: A user has Read-Only global role in the Infinity Portal and is assigned Admin role specifically for Harmony Email & Collaboration. This allows the user to be an administrator responsible for Harmony Email & Collaboration service, while this user has only Read-Only access to other services.

Example 2: A user has Admin global role in the Infinity Portal and is assigned Read-Only role specifically for Harmony Email & Collaboration. Then the user gets the permissions of the Admin role.

Harmony Email & Collaboration supports two types of Specific Service Roles:

  • Default roles

  • Customized Permissions

Customized Permissions roles modify the permissions of the assigned users.

By default, all users regardless of the role, has these permissions:

  • No administrator has access to sensitive data

  • No administrator receives alerts

  • All administrators receive weekly reports

To access Specific Service Roles, go to Global Settings > Users > New > Add User and expand Specific Service Roles.

Role

SaaS Applications

SaaS Applications and Security Engines

Policy Rules

Custom Queries

Events, Quarantine, and Exceptions

Sensitive Data *

Default Roles

Admin

View and connect or disconnect

View and configure

View and configure

View, edit, and take actions

View, edit, and take actions

Can't view (explicit permissions required)

Read-Only

Can not view

Can not view

Can not view

View-Only

View-Only

Can't view (explicit permissions required)

Help Desk

Can not view

Can not view

Can not view

View and edit (no actions)

View and take actions

Can't view (explicit permissions required)

Customized Permissions

Disable Receiving Weekly Reports

Stops sending weekly reports to users with this role.

Receive Alerts

Sends email alerts to users with this role.

Note - Even when this role is applied, the user receives email alerts for security events only when Send alerts to admins is selected in the policy.

View Sensitive Data only if Threats are Found

Allows the user to access the sensitive data* only for emails/files/messages flagged as containing threats.

View All Sensitive Data

Allows the user to access sensitive data*.

* Sensitive data includes email body, ability to download email as an EML file, ability to download shared files and sent messages, and viewing strings from emails/files/messages caught as DLP violations.