Print Download PDF Send Feedback

Previous

Next

Administrator Permission Profiles

You can give an administrator permissions for:

To define an administrator with these permissions:

  1. Define an administrator or an administrator group.
  2. Define a Permission Profile with the required permissions in SmartConsole (Manage & Settings > Permission Profiles).
  3. Assign that profile to the administrator or to the administrator group.

Creating an Administrator

To Create an Administrator

  1. In SmartConsole, open Manage & Settings.
  2. Click Administrators.
  3. Click New Administrator.

    The New Administrator window opens.

  4. Enter a name for the administrator.
  5. Select an Authentication method.
  6. In the Permission Profiles area, select a permission profile, or click New and create a permission profile.
  7. In a new profile, in the Overview tab, configure Permissions. If you select Customized, you can select these options for the features:
    • Not selected - The administrator cannot see the feature.

      Note - If you cannot clear a resource selection, the administrator access to it is mandatory, and you cannot make it invisible

    • Selected - The administrator can see the feature.
    • Read - The administrator can see the feature but cannot change it.
    • Write - The administrator can see and change the feature.

    Some resources do not have the Read or Write option. You can only select (for full permissions) or clear (for no permissions) these resources.

  8. Optional: In the Expiration area, define an expiration date for the administrator account.
  9. Optional: In the left of the window:
    1. Click Additional.
    2. Enter the personal information (email, phone number) for the administrator.
  10. Click OK.

Configuring Permissions for Monitoring, Logging, Events, and Reports

In the Profile object, select the features and the Read or Write administrator permissions for them.

Monitoring and Logging Features

These are some of the available features:

Events and Reports Features

These are the permissions for SmartEvent:

Multi-Domain Security Management

In Multi-Domain Security Management, each Event and Report is related to a Domain. Administrators can see events for Domains according to their permissions.

A Multi-Domain Security Management Policy administrator can be:

Locally Managing the Administrator

If you do not want to centrally manage administrators, and you use the local administrator defined for the SmartEvent Server, run this CLI command on the SmartEvent Server:

cpprod_util CPPROD_SetValue FW1 REMOTE_LOGIN 4 1 1

SmartEvent Reports-Only Permission Profile

You can define a special permission profile for administrators that only see and generate SmartEvent reports. With this permission profile, Administrators can open SmartConsole, but in the Logs & Monitor view can see only Reports. They cannot access other security information in SmartEvent. You can configure this permissions profile to apply to the Application & URL Filtering blade only, or apply to all blades.

To create a SmartEvent report-only permissions profile:

  1. In SmartConsole, click Manage & Settings > Permissions Profiles.
  2. In the Permission Profiles page, select a permission profile, or click the New button and create a permission profile.
  3. Select Customized.
  4. On the Events and Reports page, select SmartEvent Reports.
  5. Clear all other options.
  6. On the Access Control, Threat Prevention, and Others pages, clear all options.
  7. On the Monitoring and Logging page, select all features, with Write permissions.
  8. Click OK.

    The profile shows in the Permission Profiles page.

  9. Assign the SmartEvent Reports Only permissions profile to administrators.
  10. Publish the changes.
  11. Install the policy.

SmartView access list for administrators

Administrators with SmartEvent access permissions can be limited with access list settings based on IP address, a network or a host name.

This list is a subset of the GUI clients’ access configuration as defined on the relevant Security Management Server or a Multi-Domain Security Management. Administrators that are not configured as part of the GUI client list cannot access SmartEvent even if they are defined in the access list.

Note – The access list feature is not supported on standalone configuration with MultiPortal.

To configure the access list:

  1. On the SmartEvent machine, create a file named access_list under $RTDIR/smartview/conf
  2. Enter a list of granted clients separated by a new line.
  3. These are the supported types:
    • Specific IP address (e.g. 192.168.0.10)
    • IP range (e.g. 192.168.0.10-192.168.0.20)
    • Network (e.g. 192.168.0.0/255.255.255.0)
    • IP address wildcard (e.g. 192.168.0.*)
    • Hostnames (e.g. ADMIN-PC)
  4. Restart SmartView
    • $RTDIR/scripts/stopSmartView
    • $RTDIR/scripts/startSmartView