IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
Administrators tab
The window for this tab is divided into 3 sections:
- A taskbar (top): displays the various possible operations that can be performed (Add an administrator, Delete, Copy privileges etc.).
- The list of users and user groups identified as admin (left).
- The grid of administrator privileges (right).
For the purpose of compliance with the European GDPR (General Data Protection Regulation), it is now possible to define an administrator with read and write privileges on the firewall but who cannot view private data stored in logs.
Nonetheless, the administrator in question can still request and obtain access privileges to such data by entering an authorization code given by his supervisor. This code is valid for a limited period defined at the moment of its creation.
Once the administrator's task is complete, this privilege can be released.
Interactive features
Some operations listed in the section Possible operations" can be performed by right-clicking on the grid of administrators:
- Add an administrator,
- Delete (an administrator),
- Copy privileges,
- Paste privileges,
- Grant all privileges.
Possible operations
You will be able to create your table of administrators from your LDAP database as well as their respective privileges.
Adding an administrator
Administrator without any privileges |
This type of administrator has all the basic privileges such as access to the Dashboard and to the following modules:
The module Vulnerability management can only be accessed with write privileges. |
Administrator with read-only access |
This type of administrator has the same basic access privileges as the administrator “without privileges” with the following additional privileges: reading of SNMP logs, E-mail alerts, System events as well as reading privileges for Filtering and VPN. |
Administrator with all privileges |
This type of administrator has access to all modules except the Administrators and Admin account tabs in the Administrators module. NOTE
There can only be one “superadministrator” with the following characteristics:
|
Administrator for temporary accounts | This type of administrator can only manage temporary accounts defined on the firewall (creating, modifying and deleting). |
Administrator with access to private data |
This type of administrator can access all logs by clicking on Restricted access to logs in order to enable the Full access to logs (private data) privilege without having to enter an access code to view private data. |
Administrator without access to private data | Such administrators can access all logs that do not contain private data. To enable the Full access to logs (private data) privilege, they must click on Restricted access to logs and enter the access code given to them in order to access private data. |
Once you have imported your administrator, they will appear in the list “User-user group” to the left of the screen.
The following operations can be performed on this administrator.
Delete |
Select the administrator to be removed from the list and click on Delete. |
Move up |
Places the administrator above the previous administrator in the list. |
Move down |
Places the administrator below the following administrator in the list. |
Copy privileges |
Select the administrator whose privileges you wish to copy and click on this button. |
Paste privileges |
Select the administrator to whom you wish to assign the same privileges as the administrator from whom the privileges have been copied and click on this button. |
Grant all privileges |
Regardless of the privileges assigned to the selected administrator, by clicking on this button. |
Table of privileges
Your interface is in “simple view” by default. The table displays 5 columns, which represent 5 categories of privileges to which an administrator may or may not be affiliated: System, Network, Users, Firewall and Monitoring.
The icons in the table mean:
-
: All privileges have been assigned.
-
: All privileges have not been assigned.
-
: Some of the privileges have been assigned.
By switching to “advanced view” using the icons or
(depending on the length of your screen), the table will display the details of the privileges by category. To find out the exact privileges corresponding to each column, see the bubble that appears when the mouse passes over each column header.
EXAMPLE
If you are at the top of the System column, you will see the access privileges it includes, in this case, “Maintenance” and “Objects”.
- Double-clicking on the represented icons changes the status of privileges (from “assigned” to “not assigned” for example).
Double-clicking on this iconwill assign the privileges, and this icon
will be displayed instead.
- Any changes made to an administrator's permissions will only be applied the next time this administrator logs on. If you wish to apply a modification immediately, you will need to force the disconnection of the administrator in question (for example using the CLI command: monitor flush user).
The list of privileges that can be assigned in simple view are:
Privileges in simple view
Name | Description | Privileges assigned |
System |
Permissions to perform maintenance operations (backups, restorations, updates, Firewall shutdown and reboot, antivirus update, modification of antivirus update frequency and RAID-related actions in Stormshield Network Real-Time Monitor). Permission to modify Object database |
modify, base, maintenance, object |
Network |
Permission to modify filter policy configuration and routing configuration (default route, static routes and trusted networks) |
modify, base, filter, route |
Users |
Permission to modify users and PKI |
modify, base, user, pki |
Firewall |
Permission to modify VPN configuration, intrusion prevention (IPS) configuration and vulnerability management |
modify, base, vpn, asq, pvm |
Monitoring |
Permission to modify log logs and configuration from Stormshield Network Real-Time Monitor |
modify, base, log, maintenance |
Temporary accounts |
Permission to manage temporary accounts for the "Temporary accounts" authentication policy |
modify,base,voucher |
Privileges in advanced view
Name | Description | Privileges assigned |
Logs (R) |
Reading logs |
base, log_read |
Filter (R) |
Filter policy consultation |
base, filter_read |
VPN (R) |
VPN configuration consultation |
base, vpn_read |
Access to private data (L) | Permission to view logs containing private data | base, log_read, report_read, privacy_read |
Logs (W) |
Permission to modify log configuration |
modify, base, log |
Filter (W) |
Permission to modify filter policy configuration |
modify, base, filter |
VPN (W) |
Permission to modify VPN configuration |
modify, base, vpn |
Management of access to private data | Permission to create tickets for ad hoc requests for access to private data in logs. | base, log_read, modify, privacy, privacy_read, report_read |
PKI |
Permission to modify PKI |
modify, base, pki |
Monitoring |
Permission to modify the configuration from Stormshield Network Real-Time Monitor |
modify, base, mon_write |
Content filtering |
Permission for URL filtering, Mail, SSL and antivirus management |
modify, base, contentfilter |
Objects |
Permission to modify the object database |
modify, base, object |
Users |
Permission to modify users |
modify, base, user |
Network |
Permission to modify network configuration (interfaces, bridges, dialups, VLANs and dynamic DNS configuration) |
modify, base, network |
Routing |
Permission to modify routing (default route, static routes and trusted networks) |
modify, base, route |
Maintenance |
Permission to perform maintenance operations (backups, restorations, updates, firewall shutdown and reboot, antivirus update, modification of antivirus update frequency, high availability configuration and RAID-related operations in Real-Time Monitor) |
modify, base, maintenance |
Temporary accounts | Permission to manage temporary accounts (Users > Temporary accounts module) | modify, base, voucher |
Intrusion prevention |
Permission to modify Intrusion prevention (IPS) configuration |
modify, base, asq |
Vulnerability management |
Permission to modify vulnerability management configuration (Stormshield Network Vulnerability Manager) |
modify, base, pvm |
Objects (global) |
Permission to access global objects |
modify, base, globalobject |
Filter (global) |
Permission to access the global filter policy |
modify, base, globalfilter |
Activity Reports (W) |
Permission to modify Stormshield Network Activity Reports |
base, report_read |
Activity Reports (R) |
Permission to access Stormshield Network Activity Reports |
modify, base, report, report_read |
Access to TPM | When the firewall is equipped with a TPM (Trusted Platform Module), this permission makes it possible to initialize the TPM and perform operations on data protected by the TPM (private keys in firewall certificates). | modify, base, tpm |
The base privilege is assigned to all users systematically. With this privilege, the administrator can read the whole configuration except filtering, VPN, logs and content filtering.
The modify privilege is assigned to users who have write privileges.
The user logged in as admin will obtain the admin privilege. This is the only privilege that lets the administrator add or remove administration privileges for other users.