This article explains how to configure administrator roles that control access to the Cato Management Application.
You can assign different Role Based Access Control (RBAC) roles to admins for the Cato Management Application, and restrict their permissions to only view or edit specific screens. A role is a set of granular permissions that controls the editing and viewing privileges for each screen within the Cato Management Application. Roles help you protect your network by providing admins with the minimum level of access needed for performing their tasks.
You can define RBAC admin permissions to edit or only view specific sites, groups of sites, and SDP users. Admins that don't have permissions, can't view the sites or SDP users, and the analytics screens and dashboards are automatically filtered to only show the items with the correct permissions. For example, an admin has view permissions for a group of 10 sites. When the admin opens the Events screen, only events for those 10 sites are shown in the screen. When creating a new rule for a policy, admins can only choose those sites and user groups that they have permissions to edit.
The Roles & Permissions screen comes with several out of the box roles with predefined permissions for common admin types. You can also create custom roles to fit the specific needs of admins in your organization. When you create a custom role, you define permissions for the role on a per screen basis. These are the permissions that can be defined for each screen:
-
None - The screen doesn't appear in the navigation menu and can't be accessed at all by the admin
-
View - The admin can view the screen but can't make changes
-
Edit - The admin can perform all actions for the screen
Cato provides a number of predefined roles that you can assign to admins. You can click in the row of a role to show the permissions for each screen in the Edit Role panel. However, predefined roles can't be modified or deleted.
These are the predefined roles:
-
Editor - Full read/write permissions for all screens
-
Viewer - Read only permissions for all screens
-
Network Admin - Admins that primarily deal with connectivity and network access. Permissions include editing of all screens under the Network menu and other relevant screens such as WAN Firewall, but view only permissions for security features such as Internet Firewall. Permissions for access features are also view only.
-
Security Admin - Admins that primarily deal with security. Permissions include, for example, editing of all screens under the Security and Assets menus, but view only permissions for network and access features.
-
Access Admin - Allows editing of all the screens under the Access menu, with permissions for all other screens set to None
-
Regional Viewer - Read only permissions for all sites and SDP users, and also for all events and application analytics
-
Restricted Viewer - Read only permissions for all sites and SDP users (no access to events and application analytics)
When new screens are added to the Cato Management Application, by default the permissions for the screen are set to None for all existing custom roles. However, there may be exceptions where Cato defines special default permissions for some features. The special default permissions will be published as part of the feature release.
For predefined roles, these are the default permissions for new screens:
-
Editor - Edit permissions
-
Viewer - View only permissions
You can create custom roles and define granular permissions for all screens in the Cato Management Application to fit the exact needs of your organization. However, you can't set separate permissions for individual tabs and features within a screen.
By default, when you create a new role all permissions are set to View only. You can click in the row of the role to modify the permissions in the Edit Role panel. You can delete a role from the more menu in the row of the role, however, you can't delete a custom role that is currently assigned to an admin.
-
Only an admin with the Editor role can create or modify roles
-
You can audit changes to custom roles in the Audit Trail (Monitoring > Audit Trail), including creating, modifying, and deleting roles
The permissions for some screens automatically configure dependent permissions for other screens and features. The following dependent permissions apply when creating a role:
-
Screens in the navigation menu define the permissions for screens and sections that are under them. For example, permissions for the Sites screen (Network > Sites) determine the permissions for the Site Configuration screens accessed from the Sites screen.
-
For screens that support an export feature, granting Edit permissions lets the admin export data or policies. For example, a role with Edit permissions for the Internet Firewall screen lets the admin export the rules to a CSV file.
-
Viewing or editing permissions for the following screens grant View only permissions to the Events screen. You can change the Events permissions to Edit but not to None.
-
Sites (Network > Sites)
-
Users (Access > Users)
-
Application Analytics (Monitoring > Application Analytics)
-
Threats Dashboard (Monitoring > Threats)
-
Cloud Apps Dashboard (Monitoring > Cloud Apps)
Note: Admins can only see data in the Cloud Apps Dashboard when they have at least View only permissions for Application Analytics. -
MITRE ATT&CK® Dashboard (Monitoring > MITRE ATT&CK®)
-
To create a custom admin role:
-
From the navigation menu, click Administration > Roles & Permissions.
-
Click New to create a custom role. The Create Role panel opens.
-
Enter a Role Name and expand the sections to define permissions for the Cato Management Application screens in each section.
-
Click Submit.
The custom role appears in the list of roles.
In the Administrators screen, you can assign one or more roles to each admin. When an admin is assigned multiple roles that include different permissions for the same screen, the greater permissions apply. For example, if an admin is assigned one role with Edit permissions for the WAN Firewall screen, and another role with View only permissions, the admin can edit the WAN Firewall policy.
-
Only an admin with the Editor role can assign or remove roles
-
You can audit changes to role assignments in the Audit Trail (Monitoring > Audit Trail)
You can define which sites and SDP users that new and existing Cato Management Application admins have permissions to edit or access. When you assign groups that contain sites and other items, the Administrators screen only shows the sites in the group.
Admins can only create new SDP users when they have Edit permissions for all user groups.
For admins that are assigned permissions based on roles, there is an AND relationship between the role and the site or user group. For example, if an admin is assigned view permissions for the London site and they no permissions for the Sites screen, then they can't view the London site. Or if they have edit permissions for the London site, but have view permissions for the site screen, then they can only view the site and can't edit it.
To assign sites and user groups to an admin:
-
From the navigation menu, click Administration > Administrators.
-
Create a new admin, or edit an existing admin.
-
In Access Permissions for Sites and Users, select the sites and user groups that this admin has permissions for.
-
For sites, select Site for an individual site or Group for a group that contains multiple sites.
-
For SDP users, select User Group.
-
-
Define the admin Permission for the item.
-
Repeat steps 3 and 4 for multiple sites and user groups.
-
Click Save. The sites and user groups are assigned to the admin.
-
Admins can have permissions for up to 1000 SDP users, combining all the user groups assigned to the admin
If an admin has permissions for more than 1000 SDP users, then they receive an error. It is necessary to remove permissions for some user groups so they permissions for less than 1000 SDP users.
-
Admins can have permissions for up to 200 individual sites. There is no limit when sites are applied to a group.
-
When you assign a group to an admin, only the sites and users are applied. Other items in the group (such as network ranges) are ignored.
-
The following dashboards and monitoring screens are not automatically filtered for sites or SDP users:
-
Routing Table
-
Audit Trail
-
SaaS Security API Dashboard
-
XDR Dashboard
-
Detection and Response
-
Assets
-
-
Admins can create rules with Any site or user group, even if they only have permissions for specific sites and user groups
-
Admins that have permissions for user groups, can only add SDP users to rules. They can't add users identified with User Awareness to rules.
5 comments
I created a Custom Role, but for some reason it does not show up under drop menu when assigning Roles to a user.
I tried to use the new feature described 2 months ago (Assigning Sites and User Groups to Admins) - As I was not able to do that, I opened a ticket filed as #390629. The final response of the support engineer was: “We checked this internally and this feature is currently under Early Availability.” - this is on a feature documented here two months ago. In my opinion, this should be noted in the article and it should be updated as soon as the features becomes commonly available to avoid unnecessary support tickets.
Said Abouelouyoune Thanks for the comment. If you are working as a reseller account, please look at this article for managing roles for customer accounts: Configuring Roles and Permissions for Reseller Admins
If that doesn't help - please open a ticket with Support. Thanks!
I still don't have access to this feature, but it's been 3 months since the knowledge base was updated. It would be nice to be notified of new features when they become available for our account.
Updated article to include Assigning Sites and User Groups to Admins
Please sign in to leave a comment.