This article explains how to configure administrator roles that control access to the Cato Management Application.
You can assign different roles to admins for the Cato Management Application, and restrict their permissions to only view or edit specific screens. A role is a set of granular permissions that controls the editing and viewing privileges for each screen within the Cato Management Application. Roles help you protect your network by providing admins with the minimum level of access needed for performing their tasks.
The Roles & Permissions screen comes with several out of the box roles with predefined permissions for common admin types. You can also create custom roles to fit the specific needs of admins in your organization. When you create a custom role, you define permissions for the role on a per screen basis. These are the permissions that can be defined for each screen:
-
None - The screen doesn't appear in the navigation menu and can't be accessed at all by the admin
-
View only - The admin can view the screen but can't make changes
-
Edit - The admin can perform all actions for the screen
Cato provides a number of predefined roles that you can assign to admins. You can click in the row of a role to show the permissions for each screen in the Edit Role panel. However, predefined roles can't be modified or deleted.
These are the predefined roles:
-
Editor - Full read/write permissions for all screens
-
Viewer - Read only permissions for all screens
-
Network Admin - Admins that primarily deal with connectivity and network access. Permissions include editing of all screens under the Network menu and other relevant screens such as WAN Firewall, but view only permissions for security features such as Internet Firewall. Permissions for access features are also view only.
-
Security Admin - Admins that primarily deal with security. Permissions include, for example, editing of all screens under the Security and Assets menus, but view only permissions for network and access features.
-
Access Admin - Allows editing of all the screens under the Access menu, with permissions for all other screens set to None
When new screens are added to the Cato Management Application, by default the permissions for the screen are set to None for all existing custom roles. However, there may be exceptions where Cato defines special default permissions for some features. The special default permissions will be published as part of the feature release.
For predefined roles, these are the default permissions for new screens:
-
Editor - Edit permissions
-
Viewer - View only permissions
You can create custom roles and define granular permissions for all screens in the Cato Management Application to fit the exact needs of your organization. However, you can't set separate permissions for individual tabs and features within a screen.
By default, when you create a new role all permissions are set to View only. You can click in the row of the role to modify the permissions in the Edit Role panel. You can delete a role from the more menu in the row of the role, however, you can't delete a custom role that is currently assigned to an admin.
-
Only an admin with the Editor role can create or modify roles
-
You can audit changes to custom roles in the Audit Trail (Monitoring > Audit Trail), including creating, modifying, and deleting roles
The permissions for some screens automatically configure dependent permissions for other screens and features. The following dependent permissions apply when creating a role:
-
Screens in the navigation menu define the permissions for screens and sections that are under them. For example, permissions for the Sites screen (Network > Sites) determine the permissions for the Site Configuration screens accessed from the Sites screen.
-
For screens that support an export feature, granting Edit permissions lets the admin export data or policies. For example, a role with Edit permissions for the Internet Firewall screen lets the admin export the rules to a CSV file.
-
Viewing or editing permissions for the following screens grant View only permissions to the Events screen. You can change the Events permissions to Edit but not to None.
-
Sites (Network > Sites)
-
Users (Access > Users)
-
Application Analytics (Monitoring > Application Analytics)
-
Threats Dashboard (Monitoring > Threats Dashboard)
-
Cloud Apps Dashboard (Monitoring > Cloud Apps Dashboard)
-
MITRE ATT&CK® (Monitoring > MITRE ATT&CK®)
-
To create a custom admin role:
-
From the navigation menu, click Administration > Roles & Permissions.
-
Click New to create a custom role. The Create Role panel opens.
-
Enter a Role Name and expand the sections to define permissions for the Cato Management Application screens in each section.
-
Click Submit.
The custom role appears in the list of roles.
In the Administrators screen, you can assign one or more roles to each admin. When an admin is assigned multiple roles that include different permissions for the same screen, the greater permissions apply. For example, if an admin is assigned one role with Edit permissions for the WAN Firewall screen, and another role with View only permissions, the admin can edit the WAN Firewall policy.
-
Only an admin with the Editor role can assign or remove roles
-
You can audit changes to role assignments in the Audit Trail (Monitoring > Audit Trail)
Comments
2 comments
I created a Custom Role, but for some reason it does not show up under drop menu when assigning Roles to a user.
Said Abouelouyoune Thanks for the comment. If you are working as a reseller account, please look at this article for managing roles for customer accounts: Configuring Roles and Permissions for Reseller Admins
If that doesn't help - please open a ticket with Support. Thanks!
Please sign in to leave a comment.