Assigning Permission Profiles to Administrators

A permission profile is a predefined set of Security Management Server and SmartConsole administrative permissions that you can assign to administrators. You can assign a permission profile to more than one administrator. Only Security Management Server administrators with the Manage Administrators permission in the profile can create and manage permission profiles.

To learn about permission profiles for Multi-Domain Security Management administrators, see the R81.20 Multi-Domain Security Management Administration Guide.

Changing and Creating Permission Profiles

Administrators with Super User permissions can edit, create, or delete permission profiles.

These are the predefined, default permission profiles. You cannot change or delete the default permission profiles. You can clone them, and change the clones:

  • Read Only All - Full Read Permissions. No Write permissions.

  • Read Write All - Full Read and Write Permissions.

  • Super User - Full Read and Write Permissions, including managing administrators and sessions.

Note - Multiple administrators can log in to SmartConsole with Read-Write All permission at the same time. You cannot switch between the Read Only All and Read-Write All permission profiles. To switch mode, close the session, reconnect to SmartConsole, and in the SmartConsole login screen, select or clear the Read Only checkbox, as needed.

  1. Click Manage & Settings > Permissions & Administrators.

  2. Double-click the administrator account.

    The Administrators properties window opens.

  3. In the Permissions section, select another Permission Profile from the list.

  4. Click OK.

  1. In SmartConsole, go to Manage & Settings > Permissions & Administrators > Permission Profiles.

  2. Double-click the profile to change.

  3. In the Profile configuration window that opens change the settings as needed.

  4. Click Close.

  1. In SmartConsole, go to Manage & Settings > Permissions & Administrators > Permission Profiles.

  2. Click New Profile.

    The New Profile window opens.

  3. Enter a unique name for the profile.

  4. Select a profile type:

    • Read/Write All - Administrators can make changes to all features

    • Auditor (Read Only All) - Administrators can see all information but cannot make changes

    • Customized - Configure custom settings (see Configuring Customized Permissions).

  5. Click OK.

  1. In SmartConsole, go to Manage & Settings > Permissions & Administrators > Permission Profiles.

  2. Select a profile and click Delete.

    You cannot delete a profile that is assigned to an administrator. To see which administrators use a profile, in the error message, click Where Used.

    If the profile is not assigned to administrators, a confirmation window opens.

  3. Click Yes to confirm.

Configuring Customized Permissions

Configure administrator permissions for Gateways, Access Control, Threat Prevention, Others, Monitoring and Logging, Events and Reports, Management. For each resource, define if administrators that are configured with this profile can configure the feature or only see it.

Permissions:

  • Selected - The administrator has this feature.

  • Not selected - The administrator does not have this feature.

    Note - If you cannot clear a feature selection, the administrator access to it is mandatory.

Some features have Read and Write options. If the feature is selected:

  • Read - The administrator has the feature but cannot make changes.

  • Write - The administrator has the feature and can make changes.

  1. In the Profile object, in the Overview > Permissions section, select Customized.

  2. Configure permissions in these pages of the Profile object:

  3. In the Management section, configure this profile with permissions to:

    • Manage Administrators -Manage other administrator accounts.

    • Manage Sessions -Lets the administrator configure the session management settings (single or multiple sessions)

    • High Availability Operations -Configure and work with High Availability.

    • Management API Login -Log in with the management API.

    • Cloud Management Extension (CME) API - The permission for using CME API.

    • Publish sessions without an approval - If not selected, any change made to a session requires an approval.

    • Approve/reject other sessions - If selected, the administrator has permission to approve changes made by other administrators.

    • Manage integration with Cloud Services - If selected, the administrator has permission to connect to the Infinity Portal through the Cloud Services view in SmartConsole.

  4. Click OK.

Important - In a Permission Profile, if you select the permission VSX Provisioning (in the Gateways tab), you must also select Publish sessions without an approval (in the Management tab), because the Management Server must save changes in VSX objects immediately.

Configuring Permissions for Access Control Layers

You can simplify the management of the Access Control Policy by delegating ownership of different Layers to different administrators.

To do this, assign a permission profile to the Layer. The permission Profile must have this permission: Edit Layer by the selected profiles in a layer editor.

An administrator that has a permission profile with this permission can manage the Layer.

  1. Give Layer permissions to an administrator profile.

  2. Assign the permission profile to the Layer.

To give Layer permissions to an administrator profile

  1. In the Profile object, in the Access Control > Policy section, select Edit Layer by the selected profiles in a layer editor.

  2. Click OK.

To assign a permission profile to a Layer

  1. In SmartConsole, click Menu > Manage policies and layers.

  2. In the left pane, click Layers.

  3. Select a Layer.

  4. Click Edit.

  5. In the left pane, select Permissions.

  6. Click +

  7. Select a profile with Layer permissions.

  8. Click OK.

  9. Click Close.

  10. Publish the SmartConsole session.

Configuring Permissions for Access Control and Threat Prevention

In the permission profile object, select the features and the Read or Write administrator permissions for them.

  • Access Control

    To edit a Layer, a user must have permissions for all Software Blades in the Layer.

    In the Actions section:

    • Install Policy - Install the Access Control Policy on Security Gateways.

    • Application & URL Filtering Update - Download and install new packages of applications and websites, to use in access rules.

  • Threat Prevention

    In the Actions section:

    • Install Policy - Install the Threat Prevention Policy on Security Gateways.

    • IPS Update -Download and install new packages for IPS protections.

Configuring Permissions for Monitoring, Logging, Events, and Reports

In the Profile object, select the features and the Read or Write administrator permissions for them.

  • Monitoring and Logging Features

    These are some of the available features:

    • Monitoring

    • Management Logs

    • Track Logs

    • Application and URL Filtering Logs

  • Events and Reports Features

    These are the permissions for SmartEvent:

    • SmartEvent

      • Events - views in SmartConsole > Logs & Monitor

      • Policy - SmartEvent Policy and Settings on SmartEvent GUI.

      • Reports - in SmartConsole > Logs & Monitor

    • SmartEvent Application & URL Filtering reports only