Restricting administrator editing rights in IPS Policies example

You can restrict the policy editing rights of administrators to the IPS engines at their sites.

Company A is implementing a distributed network with multiple sites: one central office where most of the administrators work, and several branch offices in different countries. The branch offices mostly have IT staff with only limited networking experience, but who are still responsible for the day-to-day maintenance of the network infrastructure and the IPS engines at their site. They must be able to, for example, add and remove Access rules for testing purposes without always contacting the main administrators.

The administrators decide to limit the permissions of the branch office IT staff so that they are not able to edit the policies of the IPS engines at any of the other sites. The administrators:
  1. Create an IPS Template Policy based on the predefined IPS Template.
  2. Add rules to the IPS Template Policy using Alias elements to cover the essential services that each of these sites have.

    Using a common IPS Template Policy for all branch offices eliminates the need to make the same changes in several policies, easing the workload.

  3. Create an IPS Policy based on the new template for each of the branch office sites.

    Although a single IPS Policy for all sites could work, in this case the administrators decide against it. Separate policies are needed for the separation of editing rights. The policies are based on the same template, so rules can still be shared without duplicating them manually.

  4. Grant each IPS Policy to the correct IPS engine elements.

    After this, only the correct IPS Policy can be installed on each IPS engine. No other policy is accepted.

  5. Create accounts with restricted rights for the branch office administrators and grant the correct IPS engine element and IPS Policy to each administrator.
    • The branch office administrators are now restricted to editing one IPS Policy and can install it on the correct IPS engine.
    • The branch office administrators are not allowed to edit the template the IPS Policy is based on. They also cannot install any other policies on any other IPS engines.