Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Administrator Management

In This Section:

Creating or Changing an Administrator Account

Deleting an Administrator

Defining Administrator Properties

Defining Administrator Groups - Flow

Managing Administrator Account Expiration

Working with Permission Profiles

Showing Connected Administrators

Multi-Domain Security Management Administrators use SmartDomain Manager and SmartConsole clients to manage the Multi-Domain Security Management deployment. Each administrator has permissions to manage different aspects of the environment.

Creating or Changing an Administrator Account

This procedure lets you add a new administrator account or change an existing administrator account.

To add a new administrator account:

  1. In the SmartDomain Manager, go to the Administrators view.
  2. Right-click an empty area in the Administrators pane.
    The Add Administrator window opens.
  3. Continue to configure administrator properties as necessary.

To edit an existing new administrator account:

  1. In the SmartDomain Manager, go to the Administrators view.
  2. Double-click an existing administrator in the Administrators pane.
    The Edit Administrator window opens.
  3. Continue to configure administrator properties as necessary.

Administrator - General Properties

The administrator general properties include basic information such as the administrator name, type and the administrator expiration date.

To configure administrator general properties:

  1. In the Add or Edit Administrator window, go to the General Properties pane.
  2. Enter a unique Administrator Name.
    The administrator name cannot contain spaces or special characters.
  3. Select Launch Global SmartDashboard in Read Only mode if this administrator can see but not change settings in the Global SmartDashboard.
  4. Optionally, add an email address or comment to this administrator definition.

Selecting an Administrator Type

Multi-Domain Security Management uses different administrator types, each with a different scope of administrative authority. This table shows the different administrator types:

Administrator

Permissions

Multi-Domain Superuser

Manages the Multi-Domain Security Management deployment, including all Domains, Multi-Domain Servers, Domain Management Servers, and administrator accounts.

Multi-Domain superusers can do these tasks for Multi-Domain Servers:

  • Add, edit or delete Multi-Domain Servers and Multi-Domain Log Servers.
  • Allow or block access the SmartDomain Manager.

Domain Superuser

Manages networks for all Domains using the SmartDomain Manager and SmartConsole clients. Domain superusers can create, edit and delete Domains as well as see all Domain network objects.

Domain superusers can manage Global Managers, Domain Managers and None administrators. They cannot configure the Multi-Domain Server environment or manage Multi-Domain Superusers.

Global Manager

Manages global policies, global objects and specified Domain networks. Global managers can see information or do actions according to their permissions profile settings.

Global managers can manage Domain Managers and None administrators. Global managers can only see network objects in their assigned Domains. They cannot create new Domains.

Domain Manager

Manages specified Domain networks. Domain managers can use SmartConsole clients to see information or do actions according to their permissions profile settings.

Domain Managers can manage None administrators. They cannot access the Global SmartDashboard to manage global objects and global policies.

None

Do not have permissions to manage Multi-Domain Security Management or use the SmartDomain Manager. None administrators can manage specified Domain networks, using the SmartConsole clients.

To select an administrator type:

  1. In the Add or Edit Administrator window, go to the General Properties pane.
  2. Select Launch Global SmartDashboard in Read Only mode to prevent this administrator from changing global properties.
  3. Select an administrator type.

Configuring the Expiration Date

You can assign an expiration date to each administrator account. After this expiration date, the administrator cannot:

  • Log in to the SmartDomain Manager,
  • Do actions in the Multi-Domain Security Management environment.
  • Use the SmartConsole clients.

Note - Multi-Domain Security Management account expiration has no effect on operating system administrators. Operating system administrators, which are different from Multi-Domain Security Management administrators, can always access the Multi-Domain Server command line.

Multi-Domain Security Management includes tools for managing expiration dates and warning administrators of impending expirations. Administrators can manage expiration dates for other administrators with a lower level administrator type. Typically, Multi-Domain Security Management or Domain superusers do these management tasks.

To configure the expiration date:

  1. In the Add or Edit Administrator window, go to the General Properties pane.
  2. Do one of these steps to set the expiration date:
    • Select Expire at and then select an expiration date using the calendar control.

      OR

    • Select Never expires to prevent this administrator account from expiring.

    You can configure the default expiration dates that appear in this window in the Multi-Domain Security Management window.

Configuring Authentication

All administrators must authenticate to log in to the SmartDomain Manager and manage the Multi-Domain Security Management deployment. Select and configure an authentication method for this administrator.

To select and configure the authentication method:

  1. In the SmartDomain Manager, create a new administrator or double-click an existing administrator.
  2. In the Add or Edit Administrator window, go to the Authentication pane.
  3. Select and configure one of these authentication methods:
    • Undefined - Administrators are not authenticated or are authenticated by a certificate created in the Certificates pane.
    • SecurID - Administrators enter a one-time password as displayed on the SecurID smart card.
    • Check Point Password - Administrators enter the Check Point products password.
      Enter and confirm the password.
    • OS Password - Administrators authenticate using their operating system password.
    • RADIUS - Administrators authenticate by a password defined on the specified RADIUS server.
    • TACACS - Administrators authenticate by a password defined on the specified TACACS server.

Configuring Certificates

You can create a certificate that let administrators connect to the Multi-Domain Server and Domain Management Servers. You can also revoke an existing certificate.

To create a certificate:

  1. In SmartDomain Manager, create a new administrator or double-click an existing administrator.
  2. In the Add or Edit Administrator window, go to the Authentication pane.
  3. Click Generate and save.
  4. In the message box, click OK to continue.
  5. Enter and confirm the certificate password.
  6. Save the certificate.

To revoke an existing certificate:

  1. In SmartDomain Manager, create a new administrator or double-click an existing administrator.
  2. In the Add or Edit Administrator window, go to the Authentication pane.
  3. Click Revoke.
  4. In the message box, click OK to confirm.

Entering Administrator Properties - Flow

The Administrator Properties pane contains optional information, typically contact information or other descriptive data. Administrators with applicable permissions (typically superusers) define the fields that show in the Administrator Properties pane.

To enter administrator properties information:

  1. In SmartDomain Manager, create a new administrator or double-click an existing administrator.
  2. In the Add or Edit Administrator window, go to the Administrator Properties pane.
  3. Enter information in the property fields as necessary.

Deleting an Administrator

To delete an administrator:

  1. In the SmartDomain Manager, go to the Administrators pane.
  2. Right-click an existing administrator and then select Delete Administrator.
  3. Click Yes in the confirmation window.

Defining Administrator Properties

The Administrator Properties pane includes optional information fields, typically contact information or other descriptive data. Administrators, with applicable permissions, define the fields that show in the Administrator Properties pane.

To define the fields that show in the Administrator Properties pane:

  1. Select Multi-Domain Security Management Properties from the SmartDomain Manager menu.
  2. Go to the Administrator Fields pane.
  3. Do one or more of these actions:
    • To add a new property field, click Add and then enter the field name in the pop-up window.
    • To delete a property field, select an existing field and then click Remove.
    • To change a property field name, click Edit and then enter a new field name.
    • To change the display order of a property field, select a field and then click the Up or Down arrow to move it.

Defining Administrator Groups - Flow

Administrator groups are related collections of administrator accounts. This lets you manage and do operations on many administrators simultaneously.

Creating a New Group

To create a new administrator selection group:

  1. In the SmartDomain Manager, select Manage > Selection Groups > Administrator Groups.
  2. In the Administrator Selection Groups window, click Add.
  3. In the Add Group window, enter a unique group name.
    Group names cannot contain spaces or special characters.
  4. Select administrators from the Not in Group list and then click Add.
    The administrators show in the In Group list.

Changing or Deleting a Group

To change an administrator selection group:

  1. In the SmartDomain Manager, select Manage > Selection Groups > Administrator Groups.
  2. In the Administrator Selection Groups window, select a group and then click Edit.
  3. Select administrators from the Not in Group list and then click Add.
    The administrators show in the In Group list.

To delete an administrator selection group:

  1. In the SmartDomain Manager, select Manage > Selection Groups > Administrator Groups.
  2. In the Administrator Selection Groups window, select a group and click Edit.
  3. In the confirmation window, click OK.

Managing Administrator Account Expiration

You can assign an expiration date to each administrator. After this expiration date, the administrator cannot log in to the SmartConsole clients or do actions in the Security Management Server environment.

Note - Account expiration has no effect on operating system administrators. Operating system administrators are different from administrators defined in SmartDomain Manager and can continue access the command line.

SmartDomain Manager includes tools for managing expiration dates and warning administrators of impending expirations.

Working with Expiration Warnings

There are different methods to give warnings that administrator accounts will expire in a short time or have already expired. This section gives explanations for these warnings and procedures for correcting the issue.

Log In Warning

This warning message opens after you log in to the SmartDomain Manager if your administrator account is about to expire.

Speak to the administrator responsible for managing your administrator account to update the expiration date. If you have the applicable permissions, you can change the expiration date in your own account.

The administrator can disable this warning message by selecting the Do not show this again option. She can re-enable the warning by selecting Enable administrator expiration warning from the SmartDomain Manager Manage menu.

Using the Expired Accounts Window

The Expired Accounts window shows all administrator accounts that have expired or are near their expiration date. If there are administrators in this condition, the Expired Accounts link shows in the SmartDomain Manager status bar.

To use the Expired Accounts window, you must activate this feature in the Administrator Global Properties pane in the Multi-Domain Security Management Properties window. By default, the Expired Accounts window is activated.

To open the Expired Accounts window, click the link.

These icons show the current status of each account.

Icon

Description

Account is active.

Account will expire soon.

Account has expired.

Expiration warning ignored.

By default, the Expired Accounts window is enabled.

To disable the Expired Accounts window, select the Don't show this again option. Alternatively, you can select Administrators from the Selection bar and then select Manage > Cancel Administrators Expiration Warning from the menu.

To re-enable the Expired Accounts window, select Administrators from the Selection bar and then select Manage > Enable Administrators Expiration Warning from the menu.

To change the expiration date from this window:

  1. Select an administrator account and then click Update.
  2. In the Update Expiration Date window, do one of these steps to change the expiration date:
    • Select Expire at and then select an expiration date from the calendar control.

      OR

    • Select Never expires to prevent this administrator account from expiring.

To change administrator account settings, select an administrator and then click Edit.

To deactivate expiration warnings for one administrator account, select the account and then click Ignore.

To deactivate expiration warnings for all administrator accounts, do the procedure for setting default expiration parameters.

Add or Change Administrator Window Warning

This warning shows in the administrator General Properties pane if the account is about to expire. Make sure that the expiration date is correct and update if necessary.

Configuring Default Expiration Settings

The default expiration settings show when you define a new administrator account. These settings include:

  • The default expiration date.
  • The number of days before expiration that warnings show after log in.
  • The number of days before expiration that the administrator account shows in the Expired Accounts window.

To configure the default expiration parameters:

  1. In the SmartDomain Manager, select Manage > Multi-Domain Security Management Properties.
  2. In the Multi-Domain Security Management Properties window, select Administrator Accounts.
  3. In the Administrator Accounts window, set the expiration date using one of these options:
    • Never Expires - Select if this administrator account does not expire.
    • Expire at - Select and then click the arrow on the text box. Select the expiration date using the calendar control.
    • Expire after - Select and enter the number of days (from today) before this account expires.
  4. Select Notify during login to show an expiration warning message when an administrator logs in. Enter the number of days before expiration that a warning shows.
  5. Select Show indication on status bar to activate the Expired Accounts link. This link opens the Expired Accounts window.
  6. Select Allow Global and Domain Managers to create/edit permission profiles to let these administrators create or change other administrator accounts. Global and Domain managers must have the Read_Write_All permission profile assigned to them to be able to edit an administrator with a lower permission level. For example:
    • A Global Manager can edit a Domain Manager and None administrators.
    • A Domain Manager can only edit None administrators.

Working with Permission Profiles

A permissions profile is a predefined set of SmartConsole administrative permissions that you assign to administrators and Domains. This feature lets you manage complex, granular permissions for many administrators with one definition. Permission profiles do not apply to SmartDomain Manager activities.

When you assign an administrator account to a domain, you must assign a permissions profile. You can assign a predefined permissions profile or you can create a unique, Domain-specific permissions profile for the administrator.

Administrators with applicable permissions can create and manage permissions profiles. By default, only superusers can create or configure permissions profiles. You can change the global properties to let global and Domain managers create and configure permission profiles for their assigned Domains.

Multi-Domain Security Management includes default permissions profiles:

  • None_All_Profile - Administrators cannot use SmartConsole applications to see or configure settings.
  • Read_Only_All_Profile - Administrators can use SmartConsole only to see information. They cannot configure settings.
  • Read_Write_All_Profile - Administrators can use SmartConsole applications to see and configure all settings.
  • Read_Write_All_Profile_no_dlp - Administrators can use SmartConsole applications to see and configure all settings with the exception of DLP.

You can assign one of the default permissions profiles to any administrator and domain.

Configuring Permissions

This section includes procedures for creating, changing and deleting permission profiles. Administrators with the applicable permissions can create, edit or delete permissions profiles.

To create or change a permissions profile:

  1. Select the Menu icon > Manage > Manage Permissions Profiles.
  2. In the Permissions Profile window, click New or select an existing Permissions Profile.
  3. In the Permissions Profile Properties window, configure permissions profile settings.

    Note - You can also create a new permissions profile while assigning a profile to an administrator in a Domain.

To delete an existing permissions profile:

  1. In SmartDashboard, select Manage > Manage Permissions Profiles.
  2. In the Permissions Profile window, click Delete.
  3. Click Yes to confirm.

To configure permissions profile settings:

  1. In the Allow access via section, select one of these options:
    • Management Portal and SmartConsole Applications - Permissions to use SmartConsole applications and the Management Portal to connect a Domain Management Server.
    • Management Portal only - Permissions to connect to a Domain Management Server only with the Management Portal.
  2. In the Permissions section, select one of these options:
    • Read/Write All - Full access to all Check Point products.
    • Read DLP logs - Permissions to:
      • See all fields of DLP logs in SmartView Tracker.
      • See incident messages and captured data. User emails can be read if they violate corporate Data Loss Prevention rules.
      • Send or discard quarantined user emails from SmartView Tracker. With the Customized option you can assign a subset of these permissions as necessary. For example, administrators can see the field content in DLP logs but not see the actual content of incidents.
    • Read Only All - Read-only access to all Check Point products.
    • Customized - Configure access to specified Check Point products and select the access type for each product or blade.

Configuring Customized Permissions

If you select Customized Permissions, you can define permissions for each Security Management Server resource (object, Policy and feature) separately. The resources show on four different panes in the Administrators Permission Configuration window. Each pane contains a list of related resources.

To configure customized permissions:

  1. In the Permissions section, select Customized and then click Edit.
  2. Select a pane in the Administrator Permissions Configuration window:
    • General - Security Policy, blades and features
    • Monitoring and Logging - Monitoring and logging options
    • Events and Reports - SmartEvent and SmartReporter features
    • Provisioning - SmartProvisioning features and scripting
    • Endpoint - Endpoint Security Policy management and Endpoint Security client deployment and management.
  3. Set permissions for the resources:
    • To prevent an administrator from seeing or configuring a resource, clear its checkbox.
    • To let the administrator see a resource (but not change it), select its checkbox and then select Read only.
    • To let the administrator see and configure a resource, select its checkbox and then select Read/Write.

Notes:

  • You cannot prevent administrators from seeing some resources. These resources options are disabled.
  • Some resources do not have permission selections. You can only select or clear them.

Managing Permission Profiles

By default, only Global and Domain superusers can create and configure permissions profiles. You can optionally let Global and Domain managers create and configure permissions profiles. Administrators with None permissions cannot manage permission profiles.

To let Global and Domain administrators manage permissions profiles:

  1. Select Manage > Multi-Domain Security Management properties from the SmartDomain Manager menu.
  2. In the Multi-Domain Security Management Properties window, select Administrator Accounts.
  3. In the Administrator Accounts pane, select the Allow Global and Domain Managers to create/edit permissions profiles option.

To See the Latest Changes to Permissions Profiles

To see information about the latest changes to a permissions profile:

  1. In the SmartDomain Manager, select Administrators (in the Selection Bar) > Manage > Permissions Profiles.
  2. Select a permissions profile.
  3. In the Permissions Profiles window, click Actions > Last Modified.
    The Last Modification window opens.

    This window shows:

    • Date of the last change
    • Administrator who made the change
    • GUI client used to make the change

Seeing Administrators Using a Permissions Profile

To see which administrators are using a permissions profile:

  1. In SmartDomain Manager, select Administrators (in the Selection bar) > Manage > Manage Permissions Profiles.
  2. Select a permissions profile.
  3. In the Permissions Profiles window, click Actions > Where used.
    The Object Managers References window opens.

Merging Identical Permissions Profiles

It is a security best practice to remove identical permissions profiles and to keep the number of permissions profiles to a minimum. This makes the maintenance of permissions profiles easier.

Multi-Domain Security Management lets you find identical permissions profiles and merge them into one profile.

To find and merge identical permissions profiles:

  1. In the SmartDomain Manager, select Administrators.
  2. Select Manage > Manage Permissions Profiles from the menu.
  3. Select a permissions profile.
  4. Click Actions and then select Find profiles identical to this.
  5. Click Unify (or Unify to Default):
    • If the selected profile or profiles are identical to a default profile, they automatically merge with the default profile. Duplicate profiles are deleted.
    • If the selected profile or profiles are not identical to a default profile, they automatically merge with the selected profile. Duplicate profiles are deleted.
    • If you select the Unify Permission Profiles Name option, enter a profile name (or accept the default name). The selected profile or profiles merge with the name you entered. Duplicate profiles are deleted.

Note - You cannot merge a default profile with an administrator-defined profile. If you try to do this, an error message shows.

Showing Connected Administrators

In the Connected Administrators view, you can see all administrators currently connected to Multi-Domain Security Management. To show connected administrators information, select Connected Administrators in the SmartDomain Manager Selection bar.

This information shows in the Connected Administrators pane:

  • Management - Type of GUI Client connected to the SmartDomain Manager.
  • Domain - Domain that the administrator connects to.
  • Administrator - Administrator name.
  • Application - Type of GUI client that the administrator is using.
  • GUI Client- GUI client IP address or DNS host name.
  • Login Time - Date and time that the administrator logged in.
  • Database - Database status:
    • Locked - The administrator is using SmartDashboard and has exclusive Read/Write access permissions to the Domain Management Server. The database is locked.
    • No Status - The administrator is using SmartDashboard with Read Only access permissions or is using a different GUI client.
  • Action Status - Status of requests to disconnect a GUI client:
    • Disconnection Request - Disconnection request is being processed. This status shows only to the user who is disconnecting.
    • Disconnect on - Shows the date and time when the GUI client is to be disconnected.
    • Cancellation Request - Request to cancel a disconnection request. The disconnection request can occur up to 60 minutes from the current time. Administrators can only disconnect connections for other administrators.
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print