Configuring Administrators in SmartProvisioning

From the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Menu, select SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. to define SmartProvisioning Administrators and set Administrator Collaborations.

Login administrator permissions to the SmartProvisioning Console are defined in SmartConsole or in the Check Point Configuration Tool. In SmartConsole, you can further define specific administrator permissions, such as provisioning devices with SmartProvisioning.

  1. Open SmartConsole.

  2. Go to Manage & Settings > Permissions & Administrators > Administrators.

  3. Click New or Edit an existing administrator.

    The Administrator properties window opens.

  4. Go to Permissions > Permission Profile, and from the drop-down list, select New.

    The New Profile window opens.

  5. In Overview > Permissions, select Customized.

  6. In Gateways, make sure that SmartLSM Gateways Database has Write permissions, and set other permissions.

    Option

    Write

    Read

    Cleared

    SmartLSM Gateway Database

    Add, edit, delete, assign provisioning profiles to gateways

    Assign provisioning profiles to gateways

    ProvisioningClosed Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. features are unavailable

    System Backup, System Restore and Open Shell

    Edit all gateway network settings

    View gateway network settings

    Gateway network settings are unavailable

  7. Click OK.

    The changes in permissions are applied the next time the administrator logs in.

Multiple administrators can work on the SmartProvisioning GUI client on the same Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. at the same time. To avoid configuration conflicts, every administrator has their own username, and works in a session that is independent of the other administrators.

When an administrator logs in to the SmartProvisioning GUI client, a new editing session starts. The changes made during the session are only available to that administrator. If another administrator tries to change the edited objects, this error message shows: Failed to update <object_name>. Could not access file for write operation.

To make your changes available to other administrators and for the SmartLSM and SmartProvisioning appliances, you must publish the SmartConsole session. When you publish a SmartConsole session, a new database version is created.

To be able to perform certain actions on the managed appliances, such as Push Policy or Push Settings and Actions, you are prompted to publish all unpublished changes in the current session. When the administrator performs these actions, unpublished changes from other sessions are not included.

In the SmartProvisioning toolbar, click Publish. A window opens which includes the publish date and name of administrator.

Best Practice - In this window, we recommend that you add a brief description of the changes that you made in the session. This is useful for auditing and troubleshooting purposes.

Note - When there are unpublished changes in the session, the Publish button is colored in yellow.

When a session is published, a new database version is created and shows in the list of database revisions.

For more information on the R80 session architecture, see the Check Point R80.10 Security Management Architecture Overview.