Compartilhar via


About Forefront TMG roles and permissions

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Forefront TMG provides roles for administering and auditing Forefront TMG for a single Forefront TMG server, an array of Forefront TMG servers, or multiple Forefront TMG arrays. A role defines a collection of rights, which authorize users and groups to perform specific actions. Roles are implemented using Windows discretionary access control lists (DACL). For more information about DACLs, see Access Control Lists (https://go.microsoft.com/fwlink/?LinkId=150480).

Forefront TMG administrative roles can be assigned to any Windows user or group; no special privileges or Windows permissions are required. The following exceptions apply:

  • Roles should not be assigned to CREATOR OWNER, CREATOR GROUP, or their security identifiers (SIDs).

  • To view the Forefront TMG performance counters by using Perfmon or the Forefront TMG Dashboard, the user must be a member of the Windows Server 2008 Performance Monitor Users group.

This topic provides information on:

  • Administrative Roles and permissions

  • Roles and actions

For instructions on how to configure roles, see Configuring roles and permissions.

Administrative Roles and permissions

You can assign two levels of Forefront TMG administrative roles:

  • Array-level roles—For the administration of a single Forefront TMG server or a single Forefront TMG array.

  • Enterprise-level roles—For the administration of the enterprise, including all the Forefront TMG arrays, via an Enterprise Management Server (EMS). This option is only available to users of Forefront TMG Enterprise.

The permissions that are associated with each role are as follows:

  • Array-level administrative roles

  • Enterprise-level administrative roles

Array-level administrative roles

The following table lists the Forefront TMG array-level administrative roles, and describes the permissions that are granted to users who are assigned each role.

Note

Users who belong to the local Administrators group on a computer running the Forefront TMG services, do not need to be assigned a role; they have full array-level rights to administer and audit Forefront TMG.

Role Permissions

Forefront TMG Array Monitoring Auditor

Monitor basic server and network activity across a Forefront TMG array. Cannot view the Forefront TMG configuration.

Forefront TMG Array Auditor

Perform all monitoring tasks across a Forefront TMG array, including most log configuration and alert definition configuration, with the following exceptions:

  • Cannot configure a different user account when publishing reports.

  • Cannot customize report contents.

In addition, Forefront TMG array auditors can view the Forefront TMG configuration.

Forefront TMG Array Administrator

Perform any administrative task across a Forefront TMG array, including rule configuration, applying of network templates, and monitoring, as well as running highly privileged processes on the Forefront TMG server.

Enterprise-level administrative roles

The following table lists the Forefront TMG enterprise-level administrative roles, and describes the permissions that are granted to users who are assigned each role.

Role Permissions

Forefront TMG Enterprise Auditor

Perform all monitoring tasks across Forefront TMG enterprise arrays, including most log configuration and alert definition configuration, with the following exceptions:

  • Cannot configure a different user account when publishing reports.

  • Cannot customize report contents.

In addition, Forefront TMG enterprise auditors can view the Forefront TMG configuration.

Forefront TMG Enterprise Administrator

Perform any administrative task across Forefront TMG enterprise arrays, including enterprise policies, rule configuration, applying of network templates, and monitoring, as well as running highly privileged processes on the Forefront TMG server.

Roles and actions

Each Forefront TMG role defines a list of rights that authorize users to perform specific actions on Forefront TMG. These actions are typically Forefront TMG administrative tasks. Array administrators can perform these actions across a single Forefront TMG array; enterprise administrators can perform them across an enterprise array.

The following table lists some actions and the roles in which they are performed.

Action Monitoring Auditor Auditor Administrator

View Dashboard, alerts, connectivity, sessions, services

Allowed

Allowed

Allowed

Acknowledge and reset alerts

Allowed

Allowed

Allowed

View log information

Not allowed

Allowed

Allowed

Create alert definitions

Not allowed

Not allowed

Allowed

Create reports

Not allowed

Allowed

Allowed

Stop and start sessions and services

Not allowed

Allowed

Allowed

View firewall policy

Not allowed

Allowed

Allowed

Configure firewall policy

Not allowed

Not allowed

Allowed

Configure cache

Not allowed

Not allowed

Allowed

Configure a virtual private network (VPN)

Not allowed

Not allowed

Allowed

Drain and stop network load balanced (NLB) firewall or Web Proxy load balanced server

Not allowed

Allowed

Allowed

View local configuration (in Active Directory Lightweight Directory Services on array member)

Not allowed

Allowed

Allowed

Change local configuration (in Active Directory Lightweight Directory Services on array member)

Not allowed

Not allowed

Allowed

Concepts

Installation design guide for Forefront TMG