Assigning Permission Profiles to Administrators
A permission profile is a predefined set of Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. administrative permissions that you can assign to administrators. You can assign a permission profile to more than one administrator. Only Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. administrators with the Manage Administrators permission in the profile can create and manage permission profiles.
To learn about permission profiles for Multi-Domain Security Management administrators, see the R81.20 Multi-Domain Security Management Administration Guide.
Changing and Creating Permission Profiles
Administrators with Super User permissions can edit, create, or delete permission profiles.
These are the predefined, default permission profiles. You cannot change or delete the default permission profiles. You can clone them, and change the clones:
-
Read Only All - Full Read Permissions. No Write permissions.
-
Read Write All - Full Read and Write Permissions.
-
Super User - Full Read and Write Permissions, including managing administrators and sessions.
|
Note - Multiple administrators can log in to SmartConsole with Read-Write All permission at the same time. You cannot switch between the Read Only All and Read-Write All permission profiles. To switch mode, close the session, reconnect to SmartConsole, and in the SmartConsole login screen, select or clear the Read Only checkbox, as needed. |
-
Click Manage & Settings > Permissions & Administrators.
-
Double-click the administrator account.
The Administrators properties window opens.
-
In the Permissions section, select another Permission Profile from the list.
-
Click OK.
-
In SmartConsole, go to Manage & Settings > Permissions & Administrators > Permission Profiles.
-
Double-click the profile to change.
-
In the Profile configuration window that opens change the settings as needed.
-
Click Close.
-
In SmartConsole, go to Manage & Settings > Permissions & Administrators > Permission Profiles.
-
Click New Profile.
The New Profile window opens.
-
Enter a unique name for the profile.
-
Select a profile type:
-
Read/Write All - Administrators can make changes to all features
-
Auditor (Read Only All) - Administrators can see all information but cannot make changes
-
Customized - Configure custom settings (see Configuring Customized Permissions).
-
-
Click OK.
-
In SmartConsole, go to Manage & Settings > Permissions & Administrators > Permission Profiles.
-
Select a profile and click Delete.
You cannot delete a profile that is assigned to an administrator. To see which administrators use a profile, in the error message, click Where Used.
If the profile is not assigned to administrators, a confirmation window opens.
-
Click Yes to confirm.
Configuring Customized Permissions
Configure administrator permissions for Gateways, Access Control, Threat Prevention, Others, Monitoring and Logging, Events and Reports, Management. For each resource, define if administrators that are configured with this profile can configure the feature or only see it.
Permissions:
-
Selected - The administrator has this feature.
-
Not selected - The administrator does not have this feature.
Note - If you cannot clear a feature selection, the administrator access to it is mandatory.
Some features have Read and Write options. If the feature is selected:
-
Read - The administrator has the feature but cannot make changes.
-
Write - The administrator has the feature and can make changes.
-
In the Profile object, in the Overview > Permissions section, select Customized.
-
Configure permissions in these pages of the Profile object:
-
Gateways -Configure the Provisioning and the Scripts permissions.
-
Access Control - Configure Access Control Policy permissions (see Configuring Permissions for Access Control and Threat Prevention).
-
Threat Prevention - Configure Threat Prevention Policy permissions (see Configuring Permissions for Access Control and Threat Prevention).
-
Others - Configure permissions for Common Objects, user databases, HTTPS Inspection features, and Client Certificates.
-
Monitoring and Logging - Configure permissions to generate and see logs and to use monitoring features (see Configuring Permissions for Monitoring, Logging, Events, and Reports).
-
Events and Reports - Configure permissions for SmartEvent features (see Configuring Permissions for Monitoring, Logging, Events, and Reports).
-
-
In the Management section, configure this profile with permissions to:
-
Manage Administrators -Manage other administrator accounts.
-
Manage Sessions -Lets the administrator configure the session management settings (single or multiple sessions)
-
High Availability Operations -Configure and work with High Availability.
-
Management API Login - Permission to log in to the Security Management Server and run API commands using these tools:
-
mgmt_cli (Linux and Windows binaries)
-
Web Services (REST)
Useful if you want to prevent administrators from running automatic scripts on the Management Servers.
Note - This permission is not required to run commands from within the API terminal in SmartConsole.
-
-
Cloud Management Extension (CME) API - The permission for using CME API.
-
Publish sessions without an approval - If not selected, any change made to a session requires an approval.
-
Approve/reject other sessions - If selected, the administrator has permission to approve changes made by other administrators.
-
Manage integration with Cloud Services - If selected, the administrator has permission to connect to the Infinity Portal through the Cloud Services view in SmartConsole.
-
-
Click OK.
|
Important - In a Permission Profile Predefined group of SmartConsole access permissions assigned to Domains and administrators. With this feature you can configure complex permissions for many administrators with one definition., if you select the permission VSX Provisioning (in the Gateways tab), you must also select Publish sessions without an approval (in the Management tab), because the Management Server must save changes in VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. objects immediately. |
Configuring Permissions for Access Control Layers
You can simplify the management of the Access Control Policy by delegating ownership of different Layers to different administrators.
To do this, assign a permission profile to the Layer. The permission Profile must have this permission: Edit Layer by the selected profiles in a layer editor.
An administrator that has a permission profile with this permission can manage the Layer.
-
Give Layer permissions to an administrator profile.
-
Assign the permission profile to the Layer.
To give Layer permissions to an administrator profile
-
In the Profile object, in the Access Control > Policy section, select Edit Layer by the selected profiles in a layer editor.
-
Click OK.
To assign a permission profile to a Layer
-
In SmartConsole, click > Manage policies and layers.
-
In the left pane, click Layers.
-
Select a Layer.
-
Click Edit.
-
In the left pane, select Permissions.
-
Click +
-
Select a profile with Layer permissions.
-
Click OK.
-
Click Close.
-
Publish the SmartConsole session.
Configuring Permissions for Access Control and Threat Prevention
In the permission profile object, select the features and the Read or Write administrator permissions for them.
-
Access Control
To edit a Layer, a user must have permissions for all Software Blades in the Layer.
In the Actions section:
-
Install Policy - Install the Access Control Policy on Security Gateways.
-
Application & URL Filtering Update - Download and install new packages of applications and websites, to use in access rules.
-
-
Threat Prevention
In the Actions section:
-
Install Policy - Install the Threat Prevention Policy on Security Gateways.
-
IPS Update -Download and install new packages for IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protections.
-
Configuring Permissions for Monitoring, Logging, Events, and Reports
In the Profile object, select the features and the Read or Write administrator permissions for them.
-
Monitoring and Logging Features
These are some of the available features:
-
Monitoring
-
Management Logs
-
Track Logs
-
Application and URL Filtering Logs
-
-
Events and Reports Features
These are the permissions for SmartEvent:
-
SmartEvent
-
Events - views in SmartConsole > Logs & Monitor
-
Policy - SmartEvent Policy and Settings on SmartEvent GUI.
-
Reports - in SmartConsole > Logs & Monitor
-
-
SmartEvent Application & URL Filtering reports only
-