by
Etienne Liebetrau
Not everyone who logs into Sophos UTM's web admin interface needs full admin access. Perhaps you need to provide read-only access to an auditor, or define separate roles and responsibilities for your operations team.
This article takes you through configuring these different levels of access using Sophos UTM's Access Control feature.
Sophos UTM enables granular access control over the various components. It allows you to create your own groups, and add varying levels of access to different areas.
There are two levels of access.
To demonstrate, let's set up a user to only adjust the Web Protection feature, such as editing website exclusions.
For our example, we will use local accounts. But you can just as easily use an Active Directory account.
Note: To use an Active Directory account you would simply specify the login name and select Remote for authentication.
While you can manage access on a per user basis, this can become tiresome for large environments where you have multiple people performing the same roles. For these situations, you can manage access via groups:
In this step, we are going to associate our user and group with the different levels of admin access.
Open a new browser window and log in as the user you just created. You will notice that your available options have significantly decreased. You are however, still able to make changes to the relevant Web Protection Section.
You do have access to additional areas, such as Logging and Reporting, however those sections only contain the sub-features related to Web Protection (such as viewing the Web Protection logs and reports).
Locking down a user account like the one we just created is great from a control perspective as you limit the scope of what a delegated administrator can do. However, you have also reduced the visibility of some sections of the UTM that they may find useful.
Sophos UTM enables you to allocate Auditor rights, in order to provide the administrator with a more complete view of the UTM, without giving away more access.
Now log in as the webprotectionadmin user again and you will notice you have access to additional sections, via a more complete list of items in the left hand navigation panel. Most of these features will provide read-only access.
Note: The UI does not disable or 'grey' anything out when you only have read access, it looks like you have write access until you try to change something. When you do, an information box will popup indicating that permission is denied.
Even after providing delegated administrators with access to all web protection related items, they will still have a limited view of actual user activity. If they are to make decisions about what sites to include or exclude in policies, they need better reporting and alerting capabilities than even the on-box or iView's reporting features provide.
The best way of providing additional visibility of the traffic, along with customized real-time traffic alerts is to use Fastvue Sophos Reporter. The Web Protection dashboard view gives administrators instant visibility over a range of parameters they would need to consider for the administration of the Sophos UTM, such as which policy is responsible for blocking or allowing specific websites. This information is crucial if they need to modify web policies with white or black lists and minimizes troubleshooting time.
The Sophos UTM Access Control functionality allows you to safely delegate routine tasks relating to web access administration, without exposing the entire UTM's feature set.
Since users are being granted access to change certain aspects of the UTM, it is a great idea to go one step further and secure the account using 2 Factor authentication for logging into the Webadmin console.
Download our FREE 14-day trial, or schedule a demo and we'll show you how it works.
Easy WAN Emulation for Application Testing
Configure a URL Redirect with Sophos UTM's Web Application Firewall