Once you have defined the Domains and the elements that belong to them, you must also define which administrators are allowed to log in to the Domains and manage the elements.
Accounts with restricted privileges can be created within any Domain, but you cannot move administrator accounts from one Domain to another, so make sure that you are logged in to the right Domain before creating the accounts. Unrestricted accounts can only exist in the Shared Domain. To give an administrator account access to several Domains, you must define the Administrator element in the Shared Domain. Each Web Portal User account is always bound to a single Domain. For more information, see Administrator Accounts (page 57).
Using Domains
Default Categories for Domains
You can set default Categories to filter the displayed elements for each Domain. For more information, see Categories (page 71).
Examples of Domains
The examples in this section illustrate a common use for Domains and general steps on how each scenario is configured.
Creating Separate Domains for Different Customers
Company A is a Managed Security Service Provider (MSSP) with a large number of customers. It is important that the networks of different customers are kept separate and that the
administrators who manage the customer networks are only allowed to see the networks for which they are responsible. Most of the administrators only manage a single customer’s network, but some of the administrators are responsible for several customers’ networks.
The administrator at Company A decides to use Domain elements to group together the elements belonging to each customer and to make it easier to manage the different customer networks. The administrator also decides to use Category elements to tag the existing elements that will be included in each Domain. As the user database information must not be available across Domains, the administrator decides to use an external LDAP server in each Domain for user authentication. Company A’s administrator:
1. Arranges a service break with the customers before introducing Domains into the system.
2. Logs in to the Shared Domain and creates the following elements:
•A separate Domain element for each customer.
•The Administrator elements (the administrator accounts) for the administrators who manage several customers’ networks in several Domains.
•A Category element for each customer’s elements.
3. Defines a default Category Filter that includes the customer-specific Category for each customer’s elements.
Examples of Domains 69 4. Logs in to each customer’s Domain and creates the Administrator elements (the
administrator accounts) for the administrators who manage only that particular customer’s network.
5. While logged in to each Domain, configures the elements for using an external LDAP server for authenticating the users in the Domain and for storing the Domain’s user database.
6. While logged in to the Shared Domain, moves all the customer-specific elements from the Shared Domain to the correct customer-specific Domain.
•To make it easier to move the elements, the administrator first selects the customer-specific Category and then all the elements that belong to the Category.
7. When all the customers’ Domains and their elements have been configured and the service break is over, the administrators for each customer company log in to the Management Client.
•The administrators who are responsible for a single customer’s networks automatically log in to the Domain assigned to them when they log in to the Management Client. They only see the elements that belong to their own configuration as well as the elements in the Shared Domain.
•The administrators who have permissions in several Domains must select the Domain when they have logged in to the Management Client.
Creating Separate Domains for Different Sites
Company B is a large enterprise planning a new system. The system will include 12 different sites, each of which will contain 10 networks. The administrators at each site only need to be able to see the networks at their own sites. As all the sites belong to the same enterprise, the headquarters administrator decides to use the Management Server’s internal LDAP user database for user authentication in all the Domains even if this means that all the administrators in each Domain will be able to view the user database information.
The headquarters administrator:
1. Logs in to the Shared Domain and creates Domains to represent each of the 12 sites.
2. Configures the user database and user authentication using the SMC’s internal LDAP directory while logged in to the Shared Domain.
3. Logs in to each Domain that represents a site’s configuration and creates the elements for the Domain:
•The Administrator elements (the administrator accounts) for the administrators of each site.
•All the other elements that belong to each Domain.
When the administrators at each site log in to the Management Client, they also automatically log in to the Domain assigned to them. They only see the elements that belong to their own site’s configuration and also the elements in the Shared Domain.
71
C H A P T E R 9
C ATEGORIES
A Category is a label for grouping together related elements for the purpose of filtering elements that are displayed in the Management Client.
The following sections are included:
Overview of Categories (page 72)
Configuration of Categories (page 72)
Examples of Categories (page 73)
Overview of Categories
In a large installation, there can be hundreds of elements, but you usually do not need to work with all of the elements at the same time. Category elements allow you to group together related elements according to any criteria you want. Using Categories, you can quickly filter your Management Client view. Elements that do not belong to the selected Category are filtered out so that only the relevant elements are visible. This allows you to manage a large number of elements more efficiently by making it easier to find the elements you need.
Configuration of Categories
You can create as many Category elements as you need. You can modify the contents of the Categories by adding or removing elements. Each element can belong to several Categories.
Default Categories
There are two predefined Categories:
•The System Elements Category is assigned to all the default elements in the SMC. You can use it to display all the predefined elements in the system.
•The Not Categorized Category contains all the elements that have not yet been assigned a Category.
Configuration Workflow
The following sections provide an overview of the configuration tasks. Detailed step-by-step instructions can be found in the Management Client Online Help and the McAfee SMC Administrator’s Guide.