“Administrators” tab

The window for this tab is divided into 3 sections:

  • A taskbar (top): displays the various possible operations that can be performed (Add an administrator, Delete, Copy privileges etc.).
  • The list of users and user groups identified as admin (left).
  • The table of administrator privileges (right).

 

For the purpose of compliance with the European GDPR (General Data Protection Regulation), it is now possible to define an administrator with read and write privileges on the firewall but who cannot view private data stored in logs.

Nonetheless, the administrator in question can still request and obtain access privileges to such data by entering an authorization code given by his supervisor. This code is valid for a limited period defined at the moment of its creation.

Once the administrator's task is complete, he can release this privilege.

Possible operations

You will be able to create your table of administrators from your LDAP database as well as their respective privileges.

Adding an administrator

Administrator without any privileges

This type of administrator has all the basic privileges such as access to the Dashboard and to the following modules:

License, Maintenance, Active Update, High availability and its wizard, CLI console, Network, Routing, Dynamic DNS, DHCP, DNS cache proxy, Objects, URL categories and their groups, Certificates and PKI, Authentication and its wizard, URL filtering, SSL and SMTP, Applications and protections, Inspection profiles, Antivirus, Antispam, Block messages, and Preferences.

The module Vulnerability management can only be accessed with write privileges.

Administrator with read-only access

This type of administrator has the same basic access privileges as the administrator “without privileges” with the following additional privileges: reading of SNMP logs, E-mail alerts, System events as well as reading privileges for Filtering and VPN.

Administrator with all privileges

This type of administrator has access to all modules except the Administrators and Admin account tabs in the Administrators module.

REMARK

There can only be one “superadministrator” with the following characteristics:

  • The only administrator authorized to log on via the local console on Stormshield Network appliances, and only during the installation of the firewall or for maintenance operations outside of normal production use.
  • He is in charge of defining the profiles of other administrators,
  • Full access to the premises on which the firewall appliances are stored, and all interventions are performed under his supervision,
Administrator for temporary accounts This type of administrator can only manage temporary accounts defined on the firewall (creating, modifying and deleting).
Administrator with access to private data

Such administrators can:

access all logs by clicking on Restricted access to logs in order to enable the Full access to logs (private data) privilege without having to enter an access code to view private data.

Administrator without access to private data Such administrators can access all logs that do not contain private data. To enable the Full access to logs (private data) privilege, he must click on Restricted access to logs and enter the access code given to him in order to access private data.

Once you have imported your administrator, he will appear in the list “User-user group” to the left of the screen.

The following operations can be performed on this administrator.

 

Delete

Select the administrator to be removed from the list and click on Delete.

Move up

Places the administrator above the administrator before him in the list.

Move down

Places the administrator below the administrator after him in the list.

Copy privileges

Select the administrator whose privileges you wish to copy and click on this button.

Paste privileges

Select the administrator to whom you wish to assign the same privileges as the administrator from whom the privileges have been copied and click on this button.

Grant all privileges

Regardless of the privileges assigned to the selected administrator, by clicking on this button.

Table of privileges

Your interface is in “simple view” by default. The table displays 5 columns, which represent 5 categories of privileges to which an administrator may or may not be affiliated: System, Network, Users, Firewall and Monitoring.

The icons in the table mean:

 : All privileges have been assigned.

 : All privileges have not been assigned.

 : Some of the privileges have been assigned.

 

By switching to “advanced view” using the icons or (depending on the length of your screen), the table will display the details of the privileges by category. To find out the exact privileges corresponding to each column, see the bubble that appears when the mouse passes over each column header.

Example

If you are at the top of the System column, you will see the access privileges it includes, in this case, “Maintenance” and “Objects”.

NOTE

Double-clicking on the represented icons changes the status of privileges (from “assigned” to “not assigned” for example). Double-clicking on this icon will assign the privileges, and this icon will be displayed instead.

NOTE

Any changes made to an administrator's permissions will only be applied the next time this administrator logs on. If you wish to apply a modification immediately, you will need to force the disconnection of the administrator in question (for example using the CLI command: monitor flush user).

 

The list of privileges that can be assigned in simple view are:

Privileges in simple view

NameDescriptionPrivileges assigned
System 

Privilege to perform maintenance operations (backups, restorations, updates, Firewall shutdown and reboot, antivirus update, modification of antivirus update frequency and RAID-related actions in the monitor)

Privilege to modify Object database 

 

modify, base, maintenance, object 

Network 

Privilege to modify filtering policy configuration and routing configuration (default route, static routes and trusted networks)

 

modify, base, filter, route

Users

Privilege to modify Users and PKI

 

modify, base, user, pki

Firewall

Privilege to modify VPN configuration, Intrusion prevention (IPS) configuration and vulnerability management

 

modify, base, vpn, asq, pvm

Monitoring 

Privilege to modify configuration from Stormshield Network Realtime Monitor and log configuration

 

modify, base, log, maintenance

Temporary accounts

Privilege to manage temporary accounts for the "Temporary accounts" authentication policy

 

modify,base,voucher

Privileges in advanced view

Name Description

 

Privileges assigned
Logs (R) 

Log consultation

 

base, log_read

Filter (R) 

Filter policy consultation

 

base, filter_read

VPN (R)

VPN configuration consultation

 

base, vpn_read

Access to private data (L)Privilege to view logs containing private data base, log_read, report_read, privacy_read
Logs (W) 

Privilege to modify log configuration

 

modify, base, log

Filter (W) 

Privilege to modify filter policy configuration

 

modify, base, filter

VPN (W)

Privilege to modify VPN configuration

 

modify, base, vpn

Management of access to private dataPrivilege to create tickets for ad hoc requests for access to private data in logs. base, log_read, modify, privacy, privacy_read, report_read
PKI

Privilege to modify PKI

 

modify, base, pki

Monitoring 

Privilege to modify configuration from Stormshield Network Realtime Monitor

 

modify, base, mon_write

Content filtering 

Privilege for URL filtering, Mail, SSL and antivirus management

 

modify, base, contentfilter

Objects

Privilege to modify Object database 

 

modify, base, object 

Users

Privilege to modify Users

 

modify, base, user

Network

Privilege to modify network configuration (interfaces, bridges, dialups, VLANs and dynamic DNS configuration)

 

modify, base, network

Routing

Privilege to modify routing (default route, static routes and trusted networks)

 

modify, base, route

Maintenance

Privilege to perform maintenance operations (backups, restorations, updates, Firewall shutdown and reboot, antivirus update, modification of antivirus update frequency and RAID-related actions in Stormshield Network Realtime Monitor)

 

modify, base, maintenance

Temporary accountsPrivilege to manage temporary accounts (Users > Temporary accounts module) modify, base, voucher
Intrusion prevention

Privilege to modify Intrusion prevention (IPS) configuration

 

modify, base, asq

Vulnerability manager

Privilege to modify vulnerability management configuration (Stormshield Network Vulnerability Manager)

 

modify, base, pvm 

Objects (global)

Privilege to access global objects

 

modify, base, globalobject

Filter (global)

Privilege to access the global filter policy

 

modify, base, globalfilter

Activity Reports (W)

Privilege to modify Stormshield Network Activity Reports

 

base, report_read

Activity Reports (R)

Privilege to access Stormshield Network Activity Reports

 

modify, base, report, report_read

The base privilege is assigned to all users systematically. This privilege allows reading the whole configuration except filtering, VPN, logs and content filtering.

The modify privilege is assigned to users who have write privileges.

The user who has logged on as admin will obtain the admin privilege. This is the only privilege that allows giving other users administration privileges or removing them.