Administrative Permissions for DNS Threat Protection
- Naveen J Oommen
You can grant read-only or read/write permission, or deny access to the following resources:
Grid Security Properties—Applies to the Grid and its members.
Member Security Properties—Applies to the Grid members only.
For information about setting permissions, see About Administrative Permissions. The following table lists the tasks admins can perform and the required permissions for the threat protection service.
Permissions for hardware-based Threat Protection Service
Tasks | Grid Security Properties | Member Security Properties |
|---|---|---|
View Grid security properties | RO |
|
Update Grid Security properties | RW |
|
View member security properties for specific Grid members | RO | RO |
Update member security properties for specific Grid members | RW | RW |
Start and stop threat protection service for a Grid member | RW | RW |
Publish rules for a Grid member | RW | RW |
View rule categories and rules for the Grid | RO |
|
Enable and disable rules for the Grid | RW |
|
Update rule versions for any rules on the Grid | RW |
|
Revert to a previous rule version for any rules on the Grid | RW |
|
Modify configuration parameters, such as action and severity, for rules on the Grid | RW |
|
Create custom rules from rule templates for the Grid | RW |
|
Delete custom rules for the Grid | RW |
|
View rule categories and rules on a Grid member | RO | RO |
Enable and disable rules on a Grid member | RW | RW |
Update rule versions for any rules on a Grid member | RW | RW |
Revert to a previous rule version for any rules on a Grid member | RW | RW |
Modify configuration parameters, such as action and severity, for rules on a Grid member | RW | RW |
View threat protection related event statistics on a Grid member | RO | RO |
Upgrade rulesets for a Grid | RW |
|
Permissions for Software ADP
Tasks | Grid Security Properties | Member Security Properties |
|---|---|---|
View the list of Threat Protection profiles in the Profiles Viewer | RO | RO |
View profile settings in the Threat Protection Profile Editor | RO |
|
Create a Threat Protection profile | RW |
|
Clone a Threat Protection profile from an existing profile (This also clones all settings for the ruleset from an old profile.) | RW |
|
Clone a Threat Protection profile from an existing member settings | RW |
|
Update the profile settings (name, comment, events per second, disable multiple TCP DNS request, list of members) | RW |
|
Change the ruleset that is assigned to a profile (This internally merges all customizations for an old ruleset to a new ruleset.) | RW |
|
View the profile rules and rule settings | RO |
|
Enable/disable rules in the profile | RW |
|
Change the rule parameters for rules in the profile (action, log severity, events per second etc.) | RW |
|
Merge two profiles | RW |
|
Assign/remove a profile from Member Security properties | RW | RW |
Delete a profile | RW |
|
Administrative Permissions for DNS Threat Analytics
Only superusers and limited-access users with Read/Write permission can manage Threat Analytics service.
You can grant read-only or read/write permission, or deny access to the following:
Grid Threat Analytics Properties—Applies to the Grid and its members.
For information about setting permissions, Managing Permissions. The following table lists the tasks admins can perform and the required permissions for the threat analytics service.
Permissions for Threat Analytics Service
Tasks | Grid Threat Analytics Properties | RPZ Zones | Grid Members | DNS Views |
|---|---|---|---|---|
View Grid Threat Analytics properties | RO |
| RO |
|
Update Threat Analytics properties | RW | RW | RW | RW |
Start and stop Threat Analytics service | RW |
| RW |
|
Create an RPZ and use it as mitigation blacklist feed | RW | RW | RW | RW |
View whitelisted domains | RO |
| RO |
|
Move blacklisted domains to the whitelist | RW | RW |
|
|
Update Threat Analytics module and whitelist sets | RW |
|
|
|
Viewing threat analytics module and whitelist versions | RO |
|
|
|
Define the Threat Analytics Update policy | RW |
|
|
|
Manually Upload Threat Analytics Updates | RW |
|
|
|
Administrative Permissions for All Rulesets
You can grant permissions for individual ruleset objects to admin users. NIOS provides a global permission ALL Rulesets for admin groups. To perform operations on an NXDOMAIN ruleset, a blacklist rule, or an RPZ ruleset, you must have permission to the rule or ruleset to which the ruleset object belongs.