Access Roles

Access Role objects let you configure network access according to:

  • Networks

  • Users and user groups

  • Computers and computer groups

  • Remote Access VPN clients (supported for Security Gateways R80.10 and higher)

After you activate the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., you can create access role objects and use them in the Source and Destination columns of Access Control Policy rules.

For more information, see the R81.20 Identity Awareness Administration Guide.

Adding Access Roles

Important - Before you add Active Directory users, machines, or groups to an Access Role, make sure there is LDAP connectivity between the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and the AD Server that holds the management directory. The management directory is defined on the Objects Management tab in the Properties window of the LDAP Account Unit.

  1. In the object tree, click New> More > Users > Access Role.

    The New Access Role window opens.

  2. Enter a Name for the access role.

  3. Enter a Comment (optional).

  4. Select a Color for the object (optional).

  5. In the Networks pane, select one of these:

    • Any network

    • Specific networks - For each network, click and select the network from the list

  6. In the Users pane, select one of these:

    • Any user

    • All identified users - includes any user identified by a supported authentication method (internal users, Active Directory users, or LDAP users).

    • Specific users/groups - For each user or user group, click and select the user or the group from the list

  7. In the Machines pane, select one of these:

    • Any machine

    • All identified machines - includes machines identified by a supported authentication method (Active Directory).

    • Specific machines - For each machine, click and select the machine from the list

  8. In the Remote Access Clients pane, select the clients for remote access.

  9. Click OK.

Identity Awareness engine automatically recognizes changes to LDAP group membership and updates identity information, including access roles.