About Permissions

Permissions are access rights to SIP features and device data, domains, product modules, as well as to Policy Planner and Policy Optimizer workflow states.

All permissions are granted at the user group level.

Permissions to modules or functions within each category can be granted or revoked by selecting or clearing check boxes, respectively. As you set permissions, the system will automatically select additional permissions that are dependent on the one you selected. You will see a indication icon and can hover over the icon to read a reasoning message for the permission auto-selection. Another example, selecting a Write permission will automatically select the Read permission.

What a user has access to is determined by the granted permissions. All areas of the user interface (UI) will be viewable but not accessible based on the assigned permissions.

Permissions to grant are Read and Write.

Read means a user can only view information.

Write means a user can view and make changes to information.

Selecting Write will automatically select Read.

Since every user is assigned to the All Users group, FireMon recommends not assigning any permissions to this group.

SIP permissions are organized into the following categories:

System is used to grant permissions that are not specific to any of the other permissions categories.

  • Domains is used to grant permissions to view and modify domain-specific settings and data for MSSP deployments. This is set at the Enterprise level.
  • Plugins is used to grant access to view or add device packs, report packs, and workflow packs.

Administration is used to grant permissions to perform a variety of administrative tasks. Included in this section are the following:

  • Event Log is used to grant access to view events that appear in the Event Log.
  • Data Collectors is used to grant permission to manage data collectors.
  • Server Licenses is used to grant permission to manage server licenses.
  • Assessments and Controls is used to grant permission related to creating and assigning assessments and controls. It is also used for the ability to allowlist a rule.
  • Authentication Servers is used to grant permission to manage authentication servers.
  • Central Syslog Servers is used to grant permission to manage central syslog servers.
  • Reports is used to grant permission to schedule (in Administration) and run (in Security Manager) reports.
  • User Groups is used to grant permission to manage user groups.
  • Users is used to grant permission to manage users.
  • Workflows is used to grant permission to manage workflows and workflow packs.
  • Configuration is used to grant permission to manage match patterns for central syslog configuration and collection configurations.
  • System Users is for users who have access to a data collector CLI. This user role / permission is set within FMOS. This selection is not visible to users not assigned this role.
  • Risk Data is only needed for Risk Analyzer use (Risk Analyzer requires a separate license)
  • Rule Documentation is used to grant permission to modify a rule or change a documentation field in the database.
  • Administer Workflows is used to grant permission to manage ticket access so that users can only see tickets that have been assigned to them.
  • Change Windows is used to grant permission to allow the ability to view and edit change windows.
  • Ticket Revert is used to grant permission to allow a Policy Planner user group member the ability to revert a completed ticket.

FireMon Objects is used to grant permissions related to service and service groups, zones, and network segments. Network Segments is also used for Network Tap Groups.

Modules is used to grant permissions to access SIP modules.

Selecting Read for a module actually means you grant permission to access the module, and is not meant as view-only.

A separate license is required for Policy Planner, Policy Optimizer, and Risk Analyzer to gain access. Operations Dashboard is part of Policy Planner.

Device Group is used to grant permissions to view (Read), modify (Write), or Risk (used for licensed Risk Analyzer) for device groups in domains.

Workflows is role-based permissions that enable users in this group to perform task actions on Policy Planner and Policy Optimizer tickets that apply to selected devices. The tasks that can be performed are determined by the workflow permission; the devices that the user will have access to view in Policy Planner and Policy Optimizer are determined by device group (or all devices) for which the user has workflow permissions.

An exception to the Read / Write permission options are the following three workflow permissions. Selecting Read actually means you grant permission to use the function, and is not meant as view-only.

  • View Packet indicates that users are able to view packets for a specific workflow. This makes no distinction between what packets can or cannot view, it only dictates on the workflow level if you can view packets for that workflow.
  • View Secure is a placeholder permission that is not currently used for anything. It is intended to be for fields which contain sensitive data.
  • Create Packet indicates that users are able to create packets for a specific workflow.

Permissions Conflicts

Due to the extensive and granular permissions assignments offered, and the ability to place users in multiple user groups, it is possible that users can be assigned conflicting permissions. In cases where the permissions between those groups conflict, the users will be given the most permissive access.