Working with Permission Profiles

1. Connect to the Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., and go to Permissions & Administrators > Permission Profiles.

2. In the Permission Profile page, click New.

3. Select New Multi-Domain Permission Profile.

4. In the New Multi-Domain Permission Profile window, select an administrator role and configure the permission settings. The next section explains the available settings and parameters.

1. Select a permission profile on the Permission Profiles page.

2. Click Edit and change the administrator role and permission settings as necessary.

1. Select a permission profile on the Permission Profiles page.

2. Click Delete.

Select an administrator role:

• Superuser - Manage all aspects of the Multi-Domain Security Management environment.

• Manager - Manage Domains as specified in the Permissions section of Administrator definition.

• Domain Level Only - Same as Manager, but with no Multi-Domain permissions..

The selected role affects the permissions that you can configure in the next parts: Multi Domain Management, Global Management, and Domain Management. For example, Superusers always have Domain Management permissions.

Enable or disable permissions for these activities:

• MDS Provisioning - Create and manage Multi-Domain Servers and Multi-Domain Log Servers. Only Superusers can select this option.

• Manage All Domains - Create and manage all Domains and Global Domains. This option is enabled by default for Superusers. Managers can select it.

• Manage Administrators - Create and manage Multi-Domain Security Management administrators with the same or lower permission level. For example, a Domain manager cannot create Superusers or global managers. This option is enabled automatically for Superusers. Managers can select it.

• Manage Sessions - Connect/disconnect Domain sessions, publish changes, and delete other administrator sessions.

• Management API login - Lets an administrator log in to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and run API commands using these tools

  • mgmt_cli (Linux and Windows binaries)

  • Gaia CLI (Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).)

  • Web Services (REST)

• Global VPN Management - Lets the administrator select Enable global use for a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. shown in the MDS Gateways & Servers view. (To see the option, right-click on the Security Gateway object).

All options are enabled automatically for Superusers. Managers can select them.

• Manage Global Assignments - Create, update and delete global assignments.

• Default profile for all Global Domains - Change the default permission profile for all global Domains.

• View global objects in Domains - Lets an administrator with no global objects permissions view the global objects in the domain. This option is required for valid domain management.

This profile defines the default Domain permissions that automatically apply when you create a new administrator account. After you create the administrator account, you can change its Domain profile as necessary.

Select a default profile from the list. This option is enabled automatically for Superusers, and Managers can optionally select it.