WebAdmin: Custom Administration Roles
Expand granularity of WebAdmin roles. Current access gives an "Office Manager" too much control across too many areas under each "manager" or "auditor" level term. We have the need to let one person Release Spam and add URLs to control office traffic
It would be nice if there was a list of available areas and operations with the ability for us to make a role composed of our selections.
Please add a user authorization level where only Activate/Deactivate is possible. It's needed for implementation of four-eyes principle. Which is recommended by BSI.
My feature is that one Admin can create a rule and another Admin then can turn it on. In addition it would be great if you could have only a Firewall admin and only a VPN admin (separately).
While Network Security Manager is already possible, it would be helpful if "Site-to-Site VPN" was an available right in the Web-Admin Access Control. Then it would be possible to set up a user who can only access that specific feature without them having other network security access.
We have a client that requested access to be able to add websites to the whitelist themselves. Currently we take care of this for them, but their concern was what if we aren't available and they need access immediately.
We do not want to give them access to the whole Web Security but only to the URL Filtering.
This would be a great feature and could also be used for report viewing as well.
John Sinclair commented
Need to have an admin come in just in order to do some OTP user cleanup. The admin/read only rights need to be extended to all webadmin categories so we can create our own RBAC accounts.
We've been after this function for ages as well. I often have to check status of RED connections or check other settings when our main UTM administrator isn't in. But, i'm not allowed to edit any. Now i have to login as superadmin to check these items. We need to be able to configure a group with any permissions as we please per category. Read-only or full access choice too. But currently this is only possible for a very limited amount of functions like mailmanager. Would be great to see this added asap, because the function is there (management > webadmin settings > access control), but just not all options are possible to choose from, it shouldn't be hard to add, but i see it's been a request for many years.
It would be very useful to be able to access the parts of the WebAdmin for these invividual roles (Mail Manager, VPNManager) directly rather than having to access the whole WebAdmin Interface.
e.g. a URL that went directly to Mail Manager with the login page if required would be a great advantage
It would be useful to add an access control role limited to site-to-site VPN management.
Right, I read this as a request to be able to limit access overall to VPN users. Oliver is suggesting that it be possible to delegate Site-to-Site VPN management just as it now is possible to delegate Remote Access management.
Oliver Lubek commented
Ok, after asking on the forum we agreed that this is currently not possible, hence it stays a feature request.
Oliver Lubek commented
It is? The Sophos support team told me it's not and I should go post it as a feature request. Anyway I'll post that question on the forum, thanks Bob.
Oliver, this is possible now. Ask on the User BB: http://www.astaro.com
Sean, you didn't say what version. In V8.2, you can add "Any" to 'Users/Groups allowed to bypass blocking', and then each bypass will be reported - that way they never have to wait on you.
Also in V8, it is possible to give them access to reports and to view things while preventing them from making any changes.