Managing Administrators and Permissions

In This Section:

In a Multi-Domain Management environment, administrators manage system objects and settings, such as:

Multi-Domain Servers and Multi-Domain Log Servers
Domains and Domain Servers
High Availability configuration and synchronization
Domain Security Gateways, networks and other objects
Domain Security Policies and rules
Global Domain

Permission profiles let you assign permissions to Multi-Domain Management administrators, based on their area of responsibility. You can assign granular permissions to administrators that manage different elements of the Multi-Domain Management environment.

Configuring Administrators

To configure an administrator:

Connect to the Multi-Domain Server with SmartConsole, and go to Permissions & Administrators > Administrators.
Click New, or select an existing administrator and then click Edit.
In the Administrator view, configure the settings described in the next sections.

Administrator - General

Authentication

Name - Enter a unique administrator name.
Authentication Method - Select an authentication method and enter other authentication parameters as necessary. To learn more about the various authentication methods, see The R80.10 Security Management Administration Guide.
To set a default value for this parameter, go to Permissions & Administrators > Advanced > Administrator Settings > Authentication Default Values. Select a default authentication from the list.
Certificate Information - Optional: Click Create to generate a new certificate.
- You can use a certificate with or without an authentication method.
- For an existing administrator definition, you can revoke an existing certificate and create a new one.

Permissions

Multi-Domain Permission Profile - Select a Multi-Domain permission profile from the list.
Accept the default permission profile or select a different one. You can also create a new permission profile to assign. For an existing administrator, the currently selected permission profile shows.

Click the View icon to see details of the currently assigned permission profile.

If the Edit icon shows, you have permissions to see and change the currently selected permission profile. Click the Edit icon to change the settings.

Permission Profiles per Domain - Select one or more Domains, and then select a Domain permission profile for each one.

+ - Click to select a Domain to add to the profile.

X - Click to remove the selected Domain from the profile.

Note - The Permission Profiles per Domain Section does not show for superusers, because Read/Write Domain permission profiles are assigned automatically to all Domains.
Expiration - Define when this administrator account expires.
- Never - The administrator account does not expire.
- Expire at - Select an expiration date for this administrator.
To set a default value for this parameter, go to Permissions & Administrators > Advanced > Administrator Settings > Default Expiration Values.

Contact Options

You can optionally add contact information for this user:

Email - Enter the administrator email address.
Contact Details - Enter additional contact information.
Phone - Enter the administrator telephone number.

Note - If you upgraded from an earlier release, the system copies these values into the new release.

Creating a Certificate for Logging in to SmartConsole

When you define an administrator, you must configure the authentication credentials for the administrator.

The authentication credentials for the administrator can be one of the supported authentication methods, or a certificate, or the two of them.

You can create a certificate file in SmartConsole. The administrator can use this file to log in to SmartConsole using the Certificate File option. The administrator must provide the password for the certificate file.

You can import the certificate file to the CryptoAPI (CAPI) certificate repository on the Microsoft Windows SmartConsole computer. The administrator can use this stored certificate to log in to SmartConsole using the CAPI Certificate option. The SmartConsole administrator does not need to provide a password.

To create a certificate file:

In the New Administrator window, in the Certificate Information section, click Create.
Enter a password.
Click OK.
Save the certificate file to a secure location on the SmartConsole computer.

The certificate file is in the PKCS #12 format, and has a .p12 extension.

Note - Give the certificate file and the password to the SmartConsole administrators. The administrator must provide this password when logging in to SmartConsole with the Certificate File option.

To Import the certificate file to the CAPI repository:

On the Microsoft Windows SmartConsole computer, double-click the certificate file.
Follow the instructions.

Working with Permission Profiles

A permission profile is a predefined set of permissions that you assign to administrators in a Multi-Domain Management environment. This lets you manage complex, granular permissions for many different administrators with one definition.

There are two types of permission profiles:

Multi-Domain permission profiles - Defines administrator permissions for the full Multi-Domain Management environment.
Domain permission profiles - Defines the permission set per Domain

Predefined Multi-Domain Permission Profiles

Multi-Domain Management includes predefined Multi-Domain and Domain permission profiles that are ready to use. You cannot delete or change these profiles. You can create custom permission profiles as necessary for your environment.

These are the predefined Multi-Domain permission profiles available in this release. In the Permissions Profile view, double-click each profile to see the permissions it includes:

Permission Profile	Permissions
Multi-Domain Superuser	Manage all elements of the Multi-Domain Management environment, including: Multi-Domain Servers, Multi-Domain Log Servers, Domains, Domain Servers, Global Policies, administrators and permission profiles. Multi-Domain Superusers manage all Domain objects, including Security Gateways, Policies, rules, networks and other objects.
Domain Superuser	Manage all Domains, Domain Servers, Domain networks, global objects, and global configurations. They manage Domain objects, including Security Gateways, Policies, rules, networks and other objects. Domain Superusers can create and manage other administrators, manage other administrators' sessions, and manage permission profiles at the same or lower levels. Domain Superusers cannot create or change the settings for Multi-Domain Servers or Multi-Domain Log Servers.
Global Manager	Manage Global Domains, global configurations, global rules, and global assignments. Global Managers can manage Domains, but not add or delete domains or manage Multi-Domain Servers. Global managers can manage administrators with equal or lower permissions. Global Managers can create new global assignments and can assign Global Policies to Domains that they have permissions to manage. Domain-Level permissions are based on the assigned Domain permission profile.
Domain Manager	Manage Domain Policies, networks and objects based on their permission profile. Domain Managers can manage administrators with equal or lower permissions. Domain Managers can reassign Global Policies to Domains that they have permissions to manage. They cannot create new global assignments. Domain-Level permissions are based on the assigned Domain permission profile.
Domain Level Only	Manage Domain Policies, networks and objects based on their permission profile. These administrators cannot manage the Multi-Domain Management system or its configuration settings, or login to the Multi-Domain Servers. Domain-Level permissions are based on the assigned Domain permission profile.

Permission Profile

Permissions

Multi-Domain Superuser

Manage all elements of the Multi-Domain Management environment, including: Multi-Domain Servers, Multi-Domain Log Servers, Domains, Domain Servers, Global Policies, administrators and permission profiles. Multi-Domain Superusers manage all Domain objects, including Security Gateways, Policies, rules, networks and other objects.

Domain Superuser

Manage all Domains, Domain Servers, Domain networks, global objects, and global configurations. They manage Domain objects, including Security Gateways, Policies, rules, networks and other objects.

Domain Superusers can create and manage other administrators, manage other administrators' sessions, and manage permission profiles at the same or lower levels. Domain Superusers cannot create or change the settings for Multi-Domain Servers or Multi-Domain Log Servers.

Global Manager

Manage Global Domains, global configurations, global rules, and global assignments. Global Managers can manage Domains, but not add or delete domains or manage Multi-Domain Servers. Global managers can manage administrators with equal or lower permissions.

Global Managers can create new global assignments and can assign Global Policies to Domains that they have permissions to manage.

Domain-Level permissions are based on the assigned Domain permission profile.

Domain Manager

Manage Domain Policies, networks and objects based on their permission profile. Domain Managers can manage administrators with equal or lower permissions.

Domain Managers can reassign Global Policies to Domains that they have permissions to manage. They cannot create new global assignments.

Domain-Level permissions are based on the assigned Domain permission profile.

Domain Level Only

Manage Domain Policies, networks and objects based on their permission profile. These administrators cannot manage the Multi-Domain Management system or its configuration settings, or login to the Multi-Domain Servers.

Domain-Level permissions are based on the assigned Domain permission profile.

Pre-Defined Domain Permission Profiles

When you assign an administrator to Domain, you must also assign a Domain Permission Profile. You can assign a predefined Permission Profile or a custom Permission Profile for this administrator.

Permission Profile	Permissions
Read/Write	Read and write permissions for all Domain settings and data without session management or DLP confidential data. The Read/Write option lets the administrator see and configure an item.
Read Only	Read only permissions for all Domain data. Read Only lets the administrator see an item, but not change it.

Working with Multi-Domain Permission Profiles

Use this procedure to create or change customized Multi-Domain permission profiles. Only administrators with Superuser permissions can do this.

To create a custom permission profile:

Connect to the Multi-Domain Server with SmartConsole, and go to Permissions & Administrators > Permission Profiles.
In the Permission Profile page, click New.
Select New Multi-Domain Permission Profile.
In the New Multi-Domain Permission Profile window, select an administrator role and configure the permission settings. The next section explains the available settings and parameters.

To change an existing Multi-Domain permission profile:

Select a permission profile on the Permission Profiles page.
Click Edit and change the administrator role and permission settings as necessary.

To delete an existing Multi-Domain permission profile:

Select a permission profile on the Permission Profiles page.
Click Delete.

Multi-Domain Permission Profile Parameters

Multi-Domain Levels

Select an administrator role:

Superuser - Manage all aspects of the Multi-Domain Management environment.
Manager - Manage Domains as specified in the Permissions section of Administrator definition.
Domain Level Only - Same as Manager, but with no Multi-Domain permissions.

The selected role affects the permissions that you can configure in the next parts: Multi Domain Management, Global Management, and Domain Management. For example, Superusers always have Domain Management permissions.

Multi-Domain Management Activities

Enable or disable permissions for these activities:

MDS Provisioning - Create and manage Multi-Domain Servers and Multi-Domain Log Servers. Only superusers can select this option.
Manage All Domains - Create and manage all Domains and Global Domains. This option is enabled by default for superusers. Managers can select it.
Manage Administrators - Create and manage Multi-Domain Management administrators with the same or lower permission level. For example, a Domain manager cannot create superusers or global managers. This option is enabled automatically for superusers. Managers can select it.
Manage Sessions - Connect/disconnect Domain sessions, publish changes, and delete other administrator sessions.

Global Management Activities

All options are enabled automatically for superusers. Managers can select them.

Manage Global Assignments - Create, update and delete global assignments.
Default profile for all Global Domains - Change the default permission profile for all global Domains.
View global objects in Domains - Lets an administrator with no global objects permissions view the global objects in the domain. This option is required for valid domain management.

Domain Management

This profile defines the default Domain permissions that automatically apply when you create a new administrator account. After you create the administrator account, you can change its Domain profile as necessary.

Select a default profile from the list. This option is enabled automatically for superusers, and Managers can optionally select it.

Creating Custom Domain Permissions

Customized Domain permission profiles are a set of granular permissions for Domain level activities in SmartConsole.

To configure custom permission profiles:

In the Permission Profiles window, click New Domain Permission Profile.
The New Domain Permission Profile window opens.
Configure read/write permissions for each Software Blade, feature, resource, and the API in these categories as necessary:
- Overview - Select default or custom permission options
- Gateways - Work with Security Gateway management tasks and VSX provisioning
- Access Control - Work with Access Control rules and install Access Control Policies
- Threat Prevention - Work with Threat Prevention rules, profiles, and protections. Install Threat Prevention Policies
- Others - Work with different features not in other categories
- Monitoring and Logging - See and manage logs, monitoring features and related reports
- Events and Reports - Work with SmartEvent events, policy and reports
- Management - Manage sessions and High Availability options
To prevent administrators from working with an item, clear its option.

Notes:

You cannot prevent administrators from seeing some resources. You cannot change their options.
Some resources do not have Read or Write options. You can only select or clear them.