This article provides information on our sub-estate and role-based administration features which combine to create an effective tool for delegating network security management among IT staff in your organization.
Known to apply to the following Sophos product(s) and version(s)
Enterprise Console 4.5.0
Enterprise Console 4.7.0
Enterprise Console 5.0.0
Enterprise Console 5.1.0
Sub-estates are logical subdivisions of your network. Most often, they are the same as your distinct sites, such as a branch office in another city or a manufacturing site in another country. But sometimes you need to set up sub-estates because you have more than 25,000 endpoints that will be managed by Enterprise Console. In this case, you may choose to create one sub-estate for your sales and marketing endpoints, another for your production endpoints and yet another for all of the other departments in your organization. In educational establishments, you may have one sub-estate for the endpoints in the humanities and another for the endpoints in the sciences and all other faculties.
Role-based administration refers to the logical subdivision of responsibilities in each of the sub-estates. For instance, from our previous example, there may be one IT manager in the school of arts and humanities, but three other IT staff of various rank who have different responsibilities over the endpoints computers in that same school. Some of those people may work on a helpdesk within computer labs to help students with immediate problems on computers. These staff may not be responsible for planning security policies. The role that you choose for each individual will reflect these differences in responsibility.
We recommend following these steps when designing your sub-estates and the roles for your network:
- Compile a simple list of the people in your IT department who should have the right to administer computers and perform actions on your network. For each member of IT staff, define what sort of administrative function he or she will serve. For instance, will he/she only respond to malware outbreaks or firewall events, or will this person have responsibility for designing the policies that are used in their sub-estate?
- Once you assemble this list of IT staff, review the list of default roles that are pre-configured in Enterprise Console. Hopefully the mix of responsibilities in these default roles will fit the tasks that your IT staff undertake, but if the roles are not quite right for your organization, you can edit existing roles or create new ones to suit your needs. For more information on managing roles see the section on 'Setting up Enterprise Console' in the Help PDF for your version of the console.
- Define the sub-estates that you will create for your network.
- Map your IT staff to roles within each sub-estate. It may help you to create a simple table.
Bear in mind that you will definitely want some people to have limited rights on more than one sub-estate in order to provide cover for staff vacation and sick days. The System Administrator always has full rights on all sub-estates.
- Now consider the groups that should be part of each sub-estate. If you have not already created your computer groups, read through Best Practice: designing computer groups before completing your sub-estate and role-based administration planning.
Knowing which computer groups go into each sub-estate in advance will save you time and effort if you must move groups (and computers) between sub-estates later.
- While it's possible to put one group of computers into more than one sub-estate, we recommend against this practice as it makes policy deployment and enforcement a bit tricky.
- Once you have placed the groups in the sub-estates, import computers into Enterprise Console (or Synchronize with Active Directory) to place them in the appropriate groups.