Page tree

Contents

Only superusers and limited-access users with Read/Write permission to All Named ACLs and Read/Write permission to the corresponding objects and operations can manage named ACLs and their ACEs.
For information about access control and named ACLs, see Configuring Access Control. The following table lists the operations and required permissions for managing named ACLs.

Table 4.30 Administration Permissions

Tasks

Grid Member(s)

All Named ACLs

DNS Views

Related DNS objects

File Distribution

Create, modify, and delete named ACLs for all supported operations

RW

RW

RW

RW

RW

View named ACLs and ACEs

RW

RO

RO

RO

RO


Administrative Permissions for DNS Threat Protection
You can grant read-only or read/write permission, or deny access to the following resources:

  • Grid Security Properties—Applies to the Grid and its members.
  • Member Security Properties—Applies to the Grid members only.

For information about setting permissions, see Applying Permissions and Managing Overlaps. The following table lists the tasks admins can perform and the required permissions for the threat protection service.

Table 4.31 Permissions for hardware-based Threat Protection Service

Tasks

Grid Security Properties

Member Security Properties

View Grid security properties

RO


Update Grid Security properties

RW


View member security properties for specific Grid members

RO

RO

Update member security properties for specific Grid members

RW

RW

Start and stop threat protection service for a Grid member

RW

RW

Publish rules for a Grid member

RW

RW

View rule categories and rules for the Grid

RO


Enable and disable rules for the Grid

RW


Update rule versions for any rules on the Grid

RW


Revert to a previous rule version for any rules on the Grid

RW


Modify configuration parameters, such as action and severity, for rules on the Grid

RW


Create custom rules from rule templates for the Grid

RW


Delete custom rules for the Grid

RW


View rule categories and rules on a Grid member

RO

RO

Enable and disable rules on a Grid member

RW

RW

Update rule versions for any rules on a Grid member

RW

RW

Revert to a previous rule version for any rules on a Grid member

RW

RW

Modify configuration parameters, such as action and severity, for rules on a Grid member

RW

RW

View threat protection related event statistics on a Grid member

RO

RO

Upgrade rulesets for a Grid

RW



Table 4.32 Permissions for Software ADP

Tasks

Grid Security Properties

Member Security Properties

View the list of Threat Protection profiles in the Profiles Viewer

RO

RO

View profile settings in the Threat Protection Profile Editor

RO


Create a Threat Protection profile

RW


Clone a Threat Protection profile from an existing profile (This also clones all settings for the ruleset from an old profile.)

RW


Clone a Threat Protection profile from an existing member settings

RW


Update the profile settings (name, comment, events per second, disable multiple TCP DNS request, list of members)

RW


Change the ruleset that is assigned to a profile (This internally merges all customizations for an old ruleset to a new ruleset.)

RW


View the profile rules and rule settings

RO


Enable/disable rules in the profile

RW


Change the rule parameters for rules in the profile (action, log severity, events per second etc.)

RW


Merge two profiles

RW


Assign/remove a profile from Member Security properties

RW

RW

Delete a profile

RW


Administrative Permissions for DNS Threat Analytics

Only superusers and limited-access users with Read/Write permission can manage Threat Analytics service.
You can grant read-only or read/write permission, or deny access to the following:

  • Grid Threat Analytics Properties—Applies to the Grid and its members.

For information about setting permissions, Managing Permissions. The following table lists the tasks admins can perform and the required permissions for the threat analytics service.

Table 4.33 Permissions for Threat Analytics Service

Tasks

Grid Threat Analytics Properties

RPZ Zones

Grid MembersDNS Views

View Grid Threat Analytics properties

RO


RO

Update Threat Analytics properties

RW

RW

RWRW

Start and stop Threat Analytics service

RW


RW

Create an RPZ and use it as mitigation blacklist feed

RW

RW

RWRW

View whitelisted domains

RO


RO

Move blacklisted domains to the whitelist

RW

RW



Update Threat Analytics module and whitelist sets

RW




Viewing threat analytics module and whitelist versions

RO




Define the Threat Analytics Update policyRW


Manually Upload Threat Analytics UpdatesRW



Administrative Permissions for All Rulesets
You can grant permissions for individual ruleset objects to admin users. NIOS provides a global permission ALL Rulesets for admin groups. To perform operations on an NXDOMAIN ruleset, a blacklist rule, or an RPZ ruleset, you must have permission to the rule or ruleset to which the ruleset object belongs.

  • No labels

This page has no comments.