In order to create and manage application and rule entries on the Firewall Policy Manager, users are assigned administrative roles. A mapping functionality allows you to assign roles in the Firewall Policy Manager to corresponding groups in Active Directory. This requires a base OU from Active Directory below which is searched. The groups can be created in the web interface with any desired names and mapped to the corresponding AD groups. After successful connection, the group can be equipped with authorizations.
Administrative Roles
The administrative role a user or group belongs to defines the scope and sets the permissions for what content they have access to. The role also decides if administrators are allowed to create policies, have read or write access, and can change the status of the Policy Manager ticket during the process of creation and assignment. In general, there are five predefined roles available:
- Application Owner / Rule Applicant – Every user with a Firewall Policy Manager login permission has the possibility to create applications or rules and assign them to the next instance with status "Assigned to Architect".
- Architect – A user with the role 'Architect' can review the ticket and add comments. After the check, they can change the status to "Approved Architect" or "Rejected" and assign the ticket to the next instance.
- Operator – A user with the role 'Operator' reviews the application or rule, makes recommendations, and passes the ticket on with the status "Evaluated Operator".
- CISO – A user with the role 'CISO' makes final decisions and changes the ticket status to "Approved CISO".
- Auditor – A user with the role 'Auditor' has read-access to applications, rules and depencencies but can not add comments or change the status of a ticket.
For a detailed explanation of interactions of administrative roles within the procedure of ticket creation and assignment, see Application and Rules Assignment.
Configuration Access
User groups have access to the Firewall Policy Manager configuration according to their configured rule:
| Application Owner | Rule Applicant | Architect | Operator | CISO | Auditor | |
| Configuration Tab | ||||||
|---|---|---|---|---|---|---|
| Applications | YES | YES | YES | YES | YES | YES |
| Rules | YES | YES | YES | YES | YES | YES |
| Dependencies | NO | NO | YES | YES | YES | YES |
| Advanced | NO | NO | NO | NO | NO | NO |
Email Notifications
During the ticketing process, the Firewall Policy Manager sends out notifications to different administrator groups. For example, at the end of a rule implementation, a notification will be sent to everyone previously involved.
Notifications about updates and status changes are sent to the users and groups defined as owners of applications or rules as follows:
| Application Owner | Rule Applicant | Architect | Operator | CISO | Auditor | |
| Applications | ||||||
|---|---|---|---|---|---|---|
| Status change to Assigned Architect | NO | NO | YES | NO | NO | NO |
| Status change to Approved Architect | YES | NO | NO | YES | NO | NO |
| Status change to Evaluated Architect | YES | NO | NO | NO | YES | NO |
| Status change to Approved CISO | YES | NO | NO | YES | NO | NO |
| Status change to Rejected | YES | NO | NO | NO | NO | NO |
| New comment added | YES | NO | YES | YES | YES | NO |
| Rules | ||||||
| Status change to Assigned Architect | NO | NO | YES | NO | NO | NO |
| Status change to Approved Architect | NO | NO | NO | YES | NO | NO |
| Status change to Evaluated Architect | NO | NO | NO | NO | YES | NO |
| Status change to Approved CISO | NO | NO | NO | YES | NO | NO |
| Status change to Queued | NO | NO | NO | YES | NO | NO |
| Status change to Implemented | NO | YES | NO | NO | NO | NO |
| Status change to Verified | NO | YES | NO | NO | NO | NO |
| Status change to Rejected | NO | YES | YES | YES | YES | NO |
| New comment added | NO | YES | YES | YES | YES | NO |