Role-based access control (RBAC) enables you to use
preconfigured or define custom roles to assign access rights to
administrative users. Each role extends specific privileges to users
you assign to the role and each privilege defines access to specific
configuration settings and pages within the ESM Console. By customizing
a role and assigning specific privileges, you can enforce the separation
of information among functional or regional areas of your organization
to protect the privacy of data on the ESM Console.
The way you configure administrative access depends on the security
requirements of your organization. Use roles to assign specific
access privileges to administrative user accounts. By default, the
ESM Console has built-in roles with specific access rights that
cannot be changed. When new features are added to the product, the
ESM Console automatically adds new features to the default role
definitions. The following table lists built-in roles and the access
privileges associated with each:
Full read-write access to the ESM Console.
Read-write access to monitor and configuration
settings pages and read-only access to all other pages in the ESM
Console; does not include the ability to disable all protection.
Read-write access to policy configuration,
monitoring, and settings pages in the ESM Console, including the
ability to disable all protection. This role also includes read-only access
to the agent health pages but no access to the server health or
While you cannot change the privileges associated with the built-in
roles, you can create custom roles that provide more granular access
control over the functional areas of the web interface. For these
roles, you can assign read-write access, read-only access, or no
access to all the ESM Console configuration functions and pages.
An example use of a custom role is security administrators who
need to be able to view logs about the status of endpoints but who
do not need to configure security rules.