Configuring Roles and Permissions for Reseller Admins

This article explains how to configure admin roles for reseller and managed accounts that control admin access to the Cato Management Application.

Overview of Roles & Permissions for Reseller Admins

You can assign admins different roles for the Cato Management Application accounts that the reseller manages, as well as for the reseller account itself. A role is a set of granular permissions that controls the editing and viewing privileges for each screen within the Cato Management Application. Roles provide security and only let admins have the minimum level of access needed for performing their tasks.

The Roles & Permissions screen for reseller accounts comes with two sets of out-of-the-box roles with predefined permissions. You can't modify or delete the predefined roles.

  • Predefined roles for managed account admins - Permissions in these roles apply across all the managed accounts

  • Predefined roles for reseller account admins - Permissions in these roles apply only to the reseller account

You can also create custom roles to fit the specific needs of admins in your organization. You can create a custom role as either a reseller account role, or a managed account role. When you create a custom role, you define permissions for the role on a per screen basis. These are the permissions that can be defined for each screen:

  • None - The screen doesn't appear in the navigation menu and can't be accessed at all by the admin

  • View - The admin can view the screen but can't make changes

  • Edit - The admin can perform all actions for the screen

RBAC_Reseller_Tabs.png

Understanding the Predefined Reseller Account Roles

Cato provides a number of predefined roles that you can assign to admins of the reseller account. These roles define permissions for the reseller account itself, not for managed accounts (see below). You can click a role to open the Edit Role panel and show the permission details for each screen.

These are the predefined roles:

  • Reseller Editor - Full read/write permissions for all screens in the reseller account

  • Reseller Viewer - Read only permissions for all screens in the reseller account

Understanding the Predefined Managed Account Roles

The predefined managed account roles define access for an admin across all managed accounts. For example, the Viewer role grants View only access to all screens in every managed account.

These are the predefined managed account roles:

  • Editor - Full read/write permissions for all screens in the managed account

  • Viewer - Read-only permissions for all screens in the managed account

  • Network Admin - Designed for admins that primarily deal with connectivity and network access

    • Edit permissions for all screens under the Network menu and other relevant screens such as WAN Firewall

    • Read-only permissions for all other screens

  • Security Admin - Designed for admins that primarily deal with security features and policies. Permissions include, for example, editing of all screens under the Security and Assets menus, but view only permissions for network and access features.

    • Edit permissions for all screens under the Security and Assets menu, and some of the Access screens

    • Read-only permissions for all other screens

  • Access Admin - Designed for admins that are responsible for remote access features and policies.

    • Edit permissions for all screens under the Access menu

    • No access to Network and Security screens

Roles and Permissions for New Cato Screens

When new screens are added to the Cato Management Application, by default the permissions for the screen are set to None for all existing custom roles. However, there may be exceptions where Cato defines special default permissions for some features. The special default permissions will be published as part of the feature release.

For predefined managed account roles, these are the default permissions for new managed account screens:

  • Editor - Edit permissions

  • Viewer - View permissions

For predefined reseller account roles, these are the default permissions for new reseller account screens:

  • Reseller Editor - Edit permissions

  • Reseller Viewer - View permissions

Working with Custom Admin Roles

You can create custom roles and define granular permissions for all screens in the Cato Management Application to fit the exact needs of your organization. However, you can't set separate permissions for individual tabs and features within a screen.

You can create two different types of custom roles:

  • Custom roles for managed account admins - permissions apply across all the managed accounts. Create these roles in the Managed Account Roles tab.

  • Custom roles for reseller account admins - permissions apply only to the reseller account. Create these roles in the Reseller Account Roles tab.

By default, when you create a new role all permissions are set to View. You can click the role to modify the permissions in the Edit Role panel. You can only delete a custom role that is currently not assigned to an admin.

  • Only an admin with the Reseller Editor role can create or modify roles for reseller admins

  • You can review the changes to custom roles in the Audit Trail (Monitoring > Audit Trail) screen, including creating, modifying, and deleting roles

Some screens in managed accounts automatically configure dependent permissions for other screens and features. The following dependent permissions apply when creating a custom managed account role:

  • Screens in the navigation menu define the permissions for screens and sections that are under them. For example, permissions for the Sites screen (Network > Sites) determine the permissions for the Site Configuration screens accessed from the Sites screen.

  • For screens that support an export feature, granting Edit permissions lets the admin export data or policies. For example, a role with Edit permissions for the Internet Firewall screen lets the admin export the rules to a CSV file.

  • Viewing or editing permissions for the following screens grant View only permissions to the Events screen. You can't change the Events permissions to None.

    • Sites (Network > Sites)

    • Users (Access > Users)

    • Application Analytics (Monitoring > Application Analytics)

    • Threats Dashboard (Monitoring > Threats Dashboard)

    • Cloud Apps Dashboard (Monitoring > Cloud Apps Dashboard)

    • MITRE ATT&CK® (Monitoring > MITRE ATT&CK®)

To create a custom admin role:

  1. From the navigation menu, click Administration > Roles & Permissions.

  2. Select the tab for the type of role you want to create.

  3. Click New to create a custom role. The Create Role panel opens.

  4. Enter a Role Name and expand the sections to define permissions for the Cato Management Application screens in each section.

  5. Click Submit.

    The custom role appears in the list of roles.

Assigning Roles to Admins

In the Administrators screen, you can assign one or more roles to each admin. You can assign both Reseller Account Roles and Managed Account Roles. When an admin is assigned multiple roles that include different permissions for the same screen, the stronger permissions apply. For example, if an admin is assigned one role with Edit permissions for the WAN Firewall screen, and another role with View only permissions, the admin can edit the WAN Firewall policy.

  • Only an admin with the Reseller Editor role can assign or remove roles for reseller admins

  • Reseller admins can't be assigned the roles defined within managed accounts. For example:

    1. Sample Reseller manages the account for Acme Inc.

    2. An Acme Inc. admin creates the Acme Custom Admin custom role for the managed account.

    3. Alice Abrams is a Sample Reseller admin, and she is assigned the Viewer managed account role.

    4. Alice Abrams can't be assigned the Acme Custom Admin role because she belongs to the reseller account and not to the managed account.

  • You can review changes to role assignments in the Audit Trail (Monitoring > Audit Trail)

Restricting Permissions for Specific Accounts

Sometimes it's necessary to only allow an admin to use a role for a few managed accounts, and deny that access for the other managed accounts. You can edit the admin permissions and restrict the admin roles to only apply to specific managed accounts. When there are multiple groups of roles, there is an OR relationship and the admin has access to the union of all the managed accounts. For example, if an admin has Viewer role for all managed accounts, and Access Admin for two accounts. Then for those two accounts, the admin can edit the Access screens and view all the screens.

When a reseller admin creates a new managed account, they automatically are assigned the Editor role for the managed account. You can then change the admin's role for the managed account. You can only delete a managed account after removing it as an Allowed Account for all admins.

RBAC_phase2.png

To assign roles to an admin:

  1. From the navigation menu, click Administration > Administrators.

  2. Click in the row of an admin to open settings for the admin.

  3. From the Reseller Account Roles drop-down menu, select the roles you want to assign for the reseller account.

  4. From the Admin Roles for Managed Account section, define the admin roles for the managed accounts:

    1. Select one or more roles

    2. For each role or group of roles, select if the role is for All or only Selected accounts.

    3. For Selected accounts, select one or more managed accounts for this admin role.

    4. Repeat the previous three steps for each required admin role.

  5. Click Save.

    The roles are applied to the admin.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment