Not everyone who logs into Sophos UTM‘s web admin interface needs full admin access. Perhaps you need to provide read-only access to an auditor, or define separate roles and responsibilities for your operations team.
This article takes you through configuring these different levels of access using Sophos UTM’s Access Control feature.
Sophos UTM Access Control Configuration
Sophos UTM enables granular access control over the various components. It allows you to create your own groups, and add varying levels of access to different areas.
There are two levels of access.
- Read-only access (associated with Auditor rights)
- Read-and-Write Access (associated with Manager rights)
To demonstrate, let’s set up a user to only adjust the Web Protection feature, such as editing website exclusions.
Step 1. Define the User
For our example, we will use local accounts. But you can just as easily use an Active Directory account.
- In Sophos UTM’s Web Admin interface, go to Definitions & Users | Users & groups | Users | + New Users
- Username : webprotectionadmin
- Authentication: Local
- Specify and Repeat a password
- Click Save
Note: To use an Active Directory account you would simply specify the login name and select Remote for authentication.
Step 2. Create a Group
While you can manage access on a per user basis, this can become tiresome for large environments where you have multiple people performing the same roles. For these situations, you can manage access via groups:
- Go to Definitions & Users | Users & groups | Groups | + New Group
- Group name: Web Protection Admins
- Group Type: Static members
- Add the webprotectionadmin user created earlier into the member list
- Click Save
Step 3. Define the Access Control Role
In this step, we are going to associate our user and group with the different levels of admin access.
- Go to Management | Web Admin Settings | Access Control | +New Role
- Name: Web Protection Admins
- Members: Add the Web Protection Admins group created in the previous step
- Rights: Check Web Protection manager
- Click Save
Step 4. Test the new User Role
Open a new browser window and log in as the user you just created. You will notice that your available options have significantly decreased. You are however, still able to make changes to the relevant Web Protection Section.
You do have access to additional areas, such as Logging and Reporting, however those sections only contain the sub-features related to Web Protection (such as viewing the Web Protection logs and reports).
Step 5. Granting Additional Read-only Access
Locking down a user account like the one we just created is great from a control perspective as you limit the scope of what a delegated administrator can do. However, you have also reduced the visibility of some sections of the UTM that they may find useful.
Sophos UTM enables you to allocate Auditor rights, in order to provide the administrator with a more complete view of the UTM, without giving away more access.
- Go to Management | Web Admin Settings | Access Control
- Edit the Web Protection Admins Role
- Check the following boxes
- Log File Auditor
- Network Protection Auditor
- Web Application Protection Auditor
- Click Save
Now log in as the webprotectionadmin user again and you will notice you have access to additional sections, via a more complete list of items in the left hand navigation panel. Most of these features will provide read-only access.
Note: The UI does not disable or ‘grey’ anything out when you only have read access, it looks like you have write access until you try to change something. When you do, an information box will popup indicating that permission is denied.
Overcoming Reporting Limitations
Even after providing delegated administrators with access to all web protection related items, they will still have a limited view of actual user activity. If they are to make decisions about what sites to include or exclude in policies, they need better reporting and alerting capabilities than even the on-box or iView’s reporting features provide.
The best way of providing additional visibility of the traffic, along with customized real-time traffic alerts is to use Fastvue Sophos Reporter. The Web Protection dashboard view gives administrators instant visibility over a range of parameters they would need to consider for the administration of the Sophos UTM, such as which policy is responsible for blocking or allowing specific websites. This information is crucial if they need to modify web policies with white or black lists and minimizes troubleshooting time.
The Sophos UTM Access Control functionality allows you to safely delegate routine tasks relating to web access administration, without exposing the entire UTM’s feature set.
Since users are being granted access to change certain aspects of the UTM, it is a great idea to go one step further and secure the account using 2 Factor authentication for logging into the Webadmin console.