About Forefront TMG roles and permissions
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
Forefront TMG provides roles for administering and auditing Forefront TMG for a single Forefront TMG server, an array of Forefront TMG servers, or multiple Forefront TMG arrays. A role defines a collection of rights, which authorize users and groups to perform specific actions. Roles are implemented using Windows discretionary access control lists (DACL). For more information about DACLs, see Access Control Lists (https://go.microsoft.com/fwlink/?LinkId=150480).
Forefront TMG administrative roles can be assigned to any Windows user or group; no special privileges or Windows permissions are required. The following exceptions apply:
Roles should not be assigned to CREATOR OWNER, CREATOR GROUP, or their security identifiers (SIDs).
To view the Forefront TMG performance counters by using Perfmon or the Forefront TMG Dashboard, the user must be a member of the Windows Server 2008 Performance Monitor Users group.
This topic provides information on:
Administrative Roles and permissions
Roles and actions
For instructions on how to configure roles, see Configuring roles and permissions.
Administrative Roles and permissions
You can assign two levels of Forefront TMG administrative roles:
Array-level roles—For the administration of a single Forefront TMG server or a single Forefront TMG array.
Enterprise-level roles—For the administration of the enterprise, including all the Forefront TMG arrays, via an Enterprise Management Server (EMS). This option is only available to users of Forefront TMG Enterprise.
The permissions that are associated with each role are as follows:
Array-level administrative roles
Enterprise-level administrative roles
Array-level administrative roles
The following table lists the Forefront TMG array-level administrative roles, and describes the permissions that are granted to users who are assigned each role.
Note
Users who belong to the local Administrators group on a computer running the Forefront TMG services, do not need to be assigned a role; they have full array-level rights to administer and audit Forefront TMG.
| Role | Permissions |
|---|---|
Forefront TMG Array Monitoring Auditor |
Monitor basic server and network activity across a Forefront TMG array. Cannot view the Forefront TMG configuration. |
Forefront TMG Array Auditor |
Perform all monitoring tasks across a Forefront TMG array, including most log configuration and alert definition configuration, with the following exceptions:
In addition, Forefront TMG array auditors can view the Forefront TMG configuration. |
Forefront TMG Array Administrator |
Perform any administrative task across a Forefront TMG array, including rule configuration, applying of network templates, and monitoring, as well as running highly privileged processes on the Forefront TMG server. |
Enterprise-level administrative roles
The following table lists the Forefront TMG enterprise-level administrative roles, and describes the permissions that are granted to users who are assigned each role.
| Role | Permissions |
|---|---|
Forefront TMG Enterprise Auditor |
Perform all monitoring tasks across Forefront TMG enterprise arrays, including most log configuration and alert definition configuration, with the following exceptions:
In addition, Forefront TMG enterprise auditors can view the Forefront TMG configuration. |
Forefront TMG Enterprise Administrator |
Perform any administrative task across Forefront TMG enterprise arrays, including enterprise policies, rule configuration, applying of network templates, and monitoring, as well as running highly privileged processes on the Forefront TMG server. |
Roles and actions
Each Forefront TMG role defines a list of rights that authorize users to perform specific actions on Forefront TMG. These actions are typically Forefront TMG administrative tasks. Array administrators can perform these actions across a single Forefront TMG array; enterprise administrators can perform them across an enterprise array.
The following table lists some actions and the roles in which they are performed.
| Action | Monitoring Auditor | Auditor | Administrator |
|---|---|---|---|
View Dashboard, alerts, connectivity, sessions, services |
Allowed |
Allowed |
Allowed |
Acknowledge and reset alerts |
Allowed |
Allowed |
Allowed |
View log information |
Not allowed |
Allowed |
Allowed |
Create alert definitions |
Not allowed |
Not allowed |
Allowed |
Create reports |
Not allowed |
Allowed |
Allowed |
Stop and start sessions and services |
Not allowed |
Allowed |
Allowed |
View firewall policy |
Not allowed |
Allowed |
Allowed |
Configure firewall policy |
Not allowed |
Not allowed |
Allowed |
Configure cache |
Not allowed |
Not allowed |
Allowed |
Configure a virtual private network (VPN) |
Not allowed |
Not allowed |
Allowed |
Drain and stop network load balanced (NLB) firewall or Web Proxy load balanced server |
Not allowed |
Allowed |
Allowed |
View local configuration (in Active Directory Lightweight Directory Services on array member) |
Not allowed |
Allowed |
Allowed |
Change local configuration (in Active Directory Lightweight Directory Services on array member) |
Not allowed |
Not allowed |
Allowed |