Enterprise DLP
Panorama
Table of Contents
Panorama
Panorama
Configure role-based access for
Enterprise Data Loss Prevention (E-DLP)
on your Panorama™ management server
.Panorama
allows you to define 1 of 3 different access privileges for any
given UI node:- Enable—Admin has full read and write access.
- Read Only—Admin has read only access. Admin cannot make any configuration changes.
- Disable—Admin has no access to the UI node and it is not displayed in thePanoramaweb interface when they are logged intoPanorama.
- Log in to thePanoramaweb interface.An administrator with access privileges to create an admin role and commit toPanoramais required.
- Select andAdda new admin role.If you want to modify an existing admin role, select that admin role instead of creating a new one. Only one admin role profile can be associated with an administrator account.
- Configure theEnterprise DLPadmin role.
- Enter a descriptiveNamefor the admin role.
- For theRole, selectPanorama.
- In theWeb UI, define theEnterprise DLPaccess privileges you want to grant the Panorama administrator.
- —Access privileges to data filtering logs. You mustEnableor giveRead Onlyaccess to data filtering logs to allow the administrator to viewEnterprise DLPlog details.
- —Access privileges toEnterprise DLPdata patterns.
- —Access privileges toEnterprise DLPdata profiles.
- —To grant read and write access to theEnterprise DLPdata filtering and Cloud Content settings, you must enable read and write access to theContent-IDtab and disable access for the remaining settings.
- —Access privileges to upgrade theEnterprise DLPplugin onPanoramaand read and write access to theEnterprise DLPsnippets settings.If you have otherPanoramaplugins installed, this will enable access to those configuration nodes in thetab as well.Panorama
- Configure any additional admin role access privileges as needed.For example, you can enablePush All Changes, , andTasksto allow the administrator to commit and pushEnterprise DLPchanges fromPanoramato managed firewalls and then view the job status in the Task Manager.
- ClickOK.
- Create anEnterprise DLPadministrator account.Skip this step if you modified an existing admin role already associated with an administrator account.
- Select andAdda new administrator.
- Enter a descriptiveNamefor theEnterprise DLPadministrator account.
- Configure the authentication method for the administrator account using one of the following methods.
- Enter thePasswordandConfirm Password.
- Check (enable)Use Public Key Authenticationand clickImport Keyto import the SSH key.
- For theAdministrator Type, selectCustom Panorama Admin.
- For theProfile, select the admin role you created in the previous step.
- ClickOK.
- Select andCommit.
- Verify theEnterprise DLPadministrator account is correctly configured.In this example, access to the data filtering logs, data patterns, data profiles, and the plugin tabs are enabled.
- Log in to thePanoramaweb interface using theEnterprise DLPadministrator account you created in the previous step.
- SelectMonitorand confirm only theData Filteringlogs are displayed.
- Select and confirm thatData Filtering ProfilesandData Filtering Patternsare displayed and configurable.Custom ObjectsandSecurity Profilesare also displayed but theEnterprise DLPis not able to configure these.
- Select and confirm only theContent-IDandDLPtabs are displayed and configurable.
- Select and confirm that theEnterprise DLPConfigurationsettings are displayed and configurable.