Topics on this page
Manage role-based access control for common objects
When you set up access control for your policies, all common objects of the same type share the same access. This can cause problems when common objects have their child objects split across different groups and users, but their access is shared. For example, this can be a malware scan configuration that uses the child object's directory, file extension, or file lists, or can be a policy that uses malware scan configs. This shared access can create issues if users modify objects that they can access but technically belong to a different group.
Role-based access control (RBAC) for common objects allows your administrator to control the access scope of each role for the following common objects:
- Malware scan configurations
- Directory lists
- File extension lists
- File lists
For roles with access to Selected Objects, you can allow view-only permissions for other objects. This allows roles without view-only permissions to have full or custom access to specific objects, but retain view-only access for the rest. It also ensures that edit access to a specific object belongs only to the role that requires it.
Permissions applied to an object also apply to other objects of the same type.
Configure access scope for roles
To set up access scope, you need to have administrative rights.
- Go to the Administration page.
- In the left pane, go to User Management > Roles.
- Select the role.
- Select the Common Object Rights tab.
- Click the down arrow to select the appropriate common object.
-
To restrict access to specific groups:
By default, the permission is set to All, allowing all users to access all objects.
- Select Selected Objects.
- Select the objects.
- Select the rights from the list.
- To allow users to have view-only rights to the unselected objects, make a selection.
Roles' access to granted objects
The logged-in role can see items if any of the following conditions apply:
- Directly assigned via the role's access scope. Permission: What is set for that role.
- View-only for non-selected. Permission: View-Only.
- Used by accessible objects. Permission: View-Only(Granted).
- Used by parent policies of accessible policies. Permission: View-Only(Granted).
Roles' use of granted objects
The logged-in role can use items if any of the following conditions apply:
- Directly assigned via the role's access scope. Can be used in all targets.
- View-only for non-selected. Can be used in all targets.
- Used by accessible objects. Can be used in the original items only.
- Used by parent policies of accessible policies. Can be used in child policies via inheritance only.
Roles with All access scope can import objects
The logged-in role can import objects only if it has:
- Create permission for that type of common object.
- Access scope is set to All.
Roles' permission to allow malware exclusions
The logged-in role can configure malware exclusions only if the role has edit rights for global system settings.
- Go to the Administration page.
- In the left pane, go to User Management > Roles.
- Select the role.
- Select the Other Rights tab.
- Select Full or Custom for the System Settings (Global) right.
- If Custom is selected, make sure Can Edit System Settings is selected.