Administrative Permissions for DNS Threat Protection
- Panna .
- Shwetha S
You can grant read-only or read/write permission, or deny access to the following resources:
Grid Security Properties—Applies to the Grid and its members.
Member Security Properties—Applies to the Grid members only.
For information about setting permissions, see About Administrative Permissions. The following table lists the tasks admins can perform and the required permissions for the threat protection service.
Permissions for hardware-based Threat Protection Service
Tasks | Grid Security Properties | Member Security Properties |
|---|---|---|
View Grid security properties | RO | Â |
Update Grid Security properties | RW | Â |
View member security properties for specific Grid members | RO | RO |
Update member security properties for specific Grid members | RW | RW |
Start and stop threat protection service for a Grid member | RW | RW |
Publish rules for a Grid member | RW | RW |
View rule categories and rules for the Grid | RO | Â |
Enable and disable rules for the Grid | RW | Â |
Update rule versions for any rules on the Grid | RW | Â |
Revert to a previous rule version for any rules on the Grid | RW | Â |
Modify configuration parameters, such as action and severity, for rules on the Grid | RW | Â |
Create custom rules from rule templates for the Grid | RW | Â |
Delete custom rules for the Grid | RW | Â |
View rule categories and rules on a Grid member | RO | RO |
Enable and disable rules on a Grid member | RW | RW |
Update rule versions for any rules on a Grid member | RW | RW |
Revert to a previous rule version for any rules on a Grid member | RW | RW |
Modify configuration parameters, such as action and severity, for rules on a Grid member | RW | RW |
View threat protection related event statistics on a Grid member | RO | RO |
Upgrade rulesets for a Grid | RW | Â |
Permissions for Software ADP
Tasks | Grid Security Properties | Member Security Properties |
|---|---|---|
View the list of Threat Protection profiles in the Profiles Viewer | RO | RO |
View profile settings in the Threat Protection Profile Editor | RO | Â |
Create a Threat Protection profile | RW | Â |
Clone a Threat Protection profile from an existing profile (This also clones all settings for the ruleset from an old profile.) | RW | Â |
Clone a Threat Protection profile from an existing member settings | RW | Â |
Update the profile settings (name, comment, events per second, disable multiple TCP DNS request, list of members) | RW | Â |
Change the ruleset that is assigned to a profile (This internally merges all customizations for an old ruleset to a new ruleset.) | RW | Â |
View the profile rules and rule settings | RO | Â |
Enable/disable rules in the profile | RW | Â |
Change the rule parameters for rules in the profile (action, log severity, events per second etc.) | RW | Â |
Merge two profiles | RW | Â |
Assign/remove a profile from Member Security properties | RW | RW |
Delete a profile | RW | Â |
Administrative Permissions for DNS Threat Insight
Only superusers and limited-access users with Read/Write permission can manage Threat Insight service.
You can grant read-only or read/write permission, or deny access to the following:
Grid Threat Insight Properties—Applies to the Grid and its members.
For information about setting permissions, Managing Permissions. The following table lists the tasks admins can perform and the required permissions for the Threat Insight service.
Permissions for Threat Insight Service
Tasks | Grid Threat Insight Properties | RPZ Zones | Grid Members | DNS Views |
|---|---|---|---|---|
View Grid Threat Insight properties | RO | Â | RO | Â |
Update Threat Insight properties | RW | RW | RW | RW |
Start and stop Threat Insight service | RW | Â | RW | Â |
Create an RPZ and use it as mitigation blocklist feed | RW | RW | RW | RW |
View allowlisted domains | RO | Â | RO | Â |
Move allowlisted domains to the blocklist | RW | RW | Â | Â |
Update Threat Insight module and allowlist sets | RW | Â | Â | Â |
Viewing Threat Insight module and allowlist versions | RO | Â | Â | Â |
Define the Threat Insight Update policy | RW | Â | Â | Â |
Manually Upload Threat Insight Updates | RW | Â | Â | Â |
Administrative Permissions for All Rulesets
You can grant permissions for individual ruleset objects to admin users. NIOS provides a global permission ALL Rulesets for admin groups. To perform operations on an NXDOMAIN ruleset, a blacklist rule, or an RPZ ruleset, you must have permission to the rule or ruleset to which the ruleset object belongs.