Restricting administrator editing rights in Engine Policies example

You can restrict the editing rights of network administrators in your organization, as needed.

Company C is implementing a distributed network with multiple sites: one central office where most of the administrators work, and several branch offices in different countries. The branch offices mostly have IT staff with only limited networking experience, but who are still responsible for the day-to-day maintenance of the network infrastructure at their site. They must be able to, for example, add and remove Access rules for testing purposes without always contacting the main administrators.

The administrators decide to limit the permissions of the branch office IT staff so that they are not able to edit the policies of the engines at any of the other sites. The administrators:
  1. Create a Firewall Template Policy and select the predefined Firewall Template as the basis of the policy.

  2. Add rules to the Firewall Template Policy using Alias elements to cover the essential services that each of these sites has, such as the SD-WAN connections to the central site.

    Using a common Firewall Template Policy for all branch offices also eliminates the need to make the same changes in several policies, easing the workload.

  3. Create a Engine Policy based on the new Firewall Template Policy for each of the branch office sites.

    Although the same Engine Policy might work for all sites, in this case the administrators decide against it. Separate policies are needed for the separation of editing rights. The policies are based on the same Firewall Template Policy, so rules can still be shared without duplicating them manually.

  4. Grant each Engine Policy to the correct Engine element.

    After this, only the correct policy can be installed on each engine. No other policy is accepted.

  5. Create administrator accounts with restricted rights for the branch office administrators and grant the correct Engine element and Engine Policy to each administrator.
    • The branch office administrators are now restricted to editing one Engine Policy and can install it on the correct engine.
    • The branch office administrators are not allowed to edit the Firewall Template Policy the policy is based on. They also cannot install any other policies on any other engines.