Assigning Permission Profiles to Administrators

A permission profile is a predefined set of Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. administrative permissions that you can assign to administrators. You can assign a permission profile to more than one administrator. Only Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. administrators with the Manage Administrators permission in the profile can create and manage permission profiles.

To learn about permission profiles for Multi-Domain Security Management administrators, see the R81.20 Multi-Domain Security Management Administration Guide.

Changing and Creating Permission Profiles

Administrators with Super User permissions can edit, create, or delete permission profiles.

These are the predefined, default permission profiles. You cannot change or delete the default permission profiles. You can clone them, and change the clones:

  • Read Only All - Full Read Permissions. No Write permissions.

  • Read Write All - Full Read and Write Permissions.

  • Super User - Full Read and Write Permissions, including managing administrators and sessions.

Note - Multiple administrators can log in to SmartConsole with Read-Write All permission at the same time. You cannot switch between the Read Only All and Read-Write All permission profiles. To switch mode, close the session, reconnect to SmartConsole, and in the SmartConsole login screen, select or clear the Read Only checkbox, as needed.

Configuring Customized Permissions

Configure administrator permissions for Gateways, Access Control, Threat Prevention, Others, Monitoring and Logging, Events and Reports, Management. For each resource, define if administrators that are configured with this profile can configure the feature or only see it.

Permissions:

  • Selected - The administrator has this feature.

  • Not selected - The administrator does not have this feature.

    Note - If you cannot clear a feature selection, the administrator access to it is mandatory.

Some features have Read and Write options. If the feature is selected:

  • Read - The administrator has the feature but cannot make changes.

  • Write - The administrator has the feature and can make changes.

Important - In a Permission ProfileClosed Predefined group of SmartConsole access permissions assigned to Domains and administrators. With this feature you can configure complex permissions for many administrators with one definition., if you select the permission VSX Provisioning (in the Gateways tab), you must also select Publish sessions without an approval (in the Management tab), because the Management Server must save changes in VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. objects immediately.

Configuring Permissions for Access Control Layers

You can simplify the management of the Access Control Policy by delegating ownership of different Layers to different administrators.

To do this, assign a permission profile to the Layer. The permission Profile must have this permission: Edit Layer by the selected profiles in a layer editor.

An administrator that has a permission profile with this permission can manage the Layer.

Configuring Permissions for Access Control and Threat Prevention

In the permission profile object, select the features and the Read or Write administrator permissions for them.

Configuring Permissions for Monitoring, Logging, Events, and Reports

In the Profile object, select the features and the Read or Write administrator permissions for them.

  • Monitoring and Logging Features

    These are some of the available features:

    • Monitoring

    • Management Logs

    • Track Logs

    • Application and URL Filtering Logs

  • Events and Reports Features

    These are the permissions for SmartEvent:

    • SmartEvent

      • Events - views in SmartConsole > Logs & Monitor

      • Policy - SmartEvent Policy and Settings on SmartEvent GUI.

      • Reports - in SmartConsole > Logs & Monitor

    • SmartEvent Application & URL Filtering reports only