Enterprise DLP
Panorama
Table of Contents
Panorama
Panorama
Configure role-based access for
Enterprise Data Loss Prevention (E-DLP)
on your Panorama™ management server
.Panorama
allows you to define 1 of 3 different access privileges for any
given UI node:- Enable—Admin has full read and write access.
- Read Only—Admin has read only access. Admin cannot make any configuration changes.
- Disable—Admin has no access to the UI node and it is not displayed in thePanoramaweb interface when they are logged intoPanorama.
- Log in to thePanoramaweb interface.An administrator with access privileges to create an admin role and commit toPanoramais required.
- SelectandPanoramaAdmin RolesAdda new admin role.If you want to modify an existing admin role, select that admin role instead of creating a new one. Only one admin role profile can be associated with an administrator account.
- Configure theEnterprise DLPadmin role.
- Enter a descriptiveNamefor the admin role.
- For theRole, selectPanorama.
- In theWeb UI, define theEnterprise DLPaccess privileges you want to grant the Panorama administrator.
- —Access privileges to data filtering logs. You mustMonitorLogsData FilteringEnableor giveRead Onlyaccess to data filtering logs to allow the administrator to viewEnterprise DLPlog details.
- —Access privileges toObjectsCustom ObjectsData PatternsEnterprise DLPdata patterns.
- —Access privileges toObjectsSecurity ProfilesData FilteringEnterprise DLPdata profiles.
- —To grant read and write access to theDeviceSetupEnterprise DLPdata filtering and Cloud Content settings, you must enable read and write access to theContent-IDtab and disable access for the remaining settings.
- —Access privileges to upgrade thePanoramaPluginsEnterprise DLPplugin onPanoramaand read and write access to theEnterprise DLPsnippets settings.If you have otherPanoramaplugins installed, this will enable access to those configuration nodes in thetab as well.Panorama
- Configure any additional admin role access privileges as needed.For example, you can enablePush All Changes,, andCommitPanoramaTasksto allow the administrator to commit and pushEnterprise DLPchanges fromPanoramato managed firewalls and then view the job status in the Task Manager.
- ClickOK.
- Create anEnterprise DLPadministrator account.Skip this step if you modified an existing admin role already associated with an administrator account.
- SelectandPanoramaAdministratorAdda new administrator.
- Enter a descriptiveNamefor theEnterprise DLPadministrator account.
- Configure the authentication method for the administrator account using one of the following methods.
- Enter thePasswordandConfirm Password.
- Check (enable)Use Public Key Authenticationand clickImport Keyto import the SSH key.
- For theAdministrator Type, selectCustom Panorama Admin.
- For theProfile, select the admin role you created in the previous step.
- ClickOK.
- SelectandCommitCommit to PanoramaCommit.
- Verify theEnterprise DLPadministrator account is correctly configured.In this example, access to the data filtering logs, data patterns, data profiles, and the plugin tabs are enabled.
- Log in to thePanoramaweb interface using theEnterprise DLPadministrator account you created in the previous step.
- SelectMonitorand confirm only theData Filteringlogs are displayed.
- Selectand confirm thatObjectsDLPData Filtering ProfilesandData Filtering Patternsare displayed and configurable.Custom ObjectsandSecurity Profilesare also displayed but theEnterprise DLPis not able to configure these.
- Selectand confirm only theDeviceSetupContent-IDandDLPtabs are displayed and configurable.
- Selectand confirm that thePanoramaDLPEnterprise DLPConfigurationsettings are displayed and configurable.