This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebAdmin - Access control - more granular settings

Hi everyone,

i need more granular settings for Access control or maybe there is a combination i did not see.

I need some IT users to access Users & Groups with full access (or even more granular would be great)

They should be able to download the ssl packages and/or delete/add/change something.

is there a way to achieve this?

Best regards

Stephan



This thread was automatically locked due to age.
Parents Reply Children
  • Hi,

    there is no option and i do not want the users to download their config by themself.

    Best regards

    Stephan

  • I believe what you want to do is not possible, Stephan.  If Sophos Support tells you differently, please come back and let us know.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • But when this is not possible than user sync should also delete not existing or deactivated account from Sophos UTM.

    Normally the people that create and delete users are not the ones administering the Firewall.

     

    I currently have an open case with Sophos. I will create one after this one is solved ;)

  • Maybe the picture is not as bleak as you fear.

    • All of our UTM usage, other than Admin, is linked to Active Directory users.  We use Active Directory authorization server for our primary domain, LDAP for other domans.   I have documented the LDAP setup in the Wiki.   Users do not need or receive a UTM account until they need remote access with OTP (WAF, VPN SSL, HTML5 VPN).
    • For Remote Access with OTP, we add them to Active Directory groups, and then their UTM account is created when they use the User Portal to scan their QR code.  Obviously, other methods are available for issuing the QR code from WebAdmin
    • At termination, disabling or deleting the Active Directory account will not remove the UTM account, but it will render it useless.
    • For higher levels of automation, use the RestFUL API.    You seem to be an organization that would want to have these tasks integrated into an automated provisioning system. 

     

    Does this help?

  • I already implemented the first 2 steps.

    But for compliance reasons we need to delete the accounts also - i know about point 3.

    I will have a look at the RestFUL API. As we are already use a script for deleting the users from AD maybe i can use this to delete also the accounts from UTM.

     

    Thanks for your help.

  • Great job of hearing the question behind the question, Doug.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA