Delegated administration and reporting permissions

Administrator Help | Forcepoint Web Security and Forcepoint URL Filtering | v8.5.x

The permissions available to an administrator depend on whether the administrator is assigned to the Super Administrator role, a policy management and reporting role, or an investigative reporting role.

Super Administrator permissions

The Super Administrator role can contain 2 types of administrators: unconditional Super Administrators and conditional Super Administrators.

To create an unconditional Super Administrator account, you can do either of the following on the Global Settings > Administrators page:

Create a Global Security Administrator account.

Select the Grant access and the ability to modify access permissions for other accounts option for the Web module.

Unconditional Super Administrators can:

Access all system configuration settings in the Web module (managed via the Settings options).

Add or remove administrators in the Super Administrator role.

Create or edit the Filter Lock that blocks certain categories and protocols for all users managed by delegated administration roles. See Creating a Filter Lock.

Manage policies for clients in the Super Administrator role, including the Default policy that applies to all clients not assigned another policy in any role.

Create and run reports on all clients, regardless of which role they are assigned to.

Access Real-Time Monitor.

Review component status and stop or start components from the Status > Deployment page.

Review the audit log, which records administrator access to and actions within the Web module.

(Forcepoint Web Security only) Open the Content Gateway manager via a button on the Settings > General > Content Gateway Access page and be logged on automatically, without having to provide credentials.

When an unconditional Super Administrator adds additional administrators to the Super Administrator role (via the Policy Management > Delegated Administration page), the new administrators are granted conditional permissions.

Unlike unconditional Super Administrators, whose permissions cannot be changed, conditional Super Administrators can be granted a combination of policy management, reporting, and access permissions.

Full policy permissions allow conditional Super Administrators to:

Create and edit delegated administration roles, filter components, filters, policies, and exceptions, and to apply policies to clients that are not managed by any other role.

Access database download, directory service, user identification, and Network Agent configuration settings. Conditional Super Administrators with reporting permissions can also access configuration settings for the reporting tools.

Create and edit delegated administration roles, but not to delete roles or remove the administrators or managed clients assigned to them.

Exceptions only permissions allow conditional Super Administrators to create and edit exceptions. (Exceptions permit or block URLs for specified users, regardless of which policy normally governs their Internet access.)

Policies, filters, filter components, the Filter Lock, and all Settings pages are hidden for Super Administrators with exceptions only permissions.

Reporting permissions allow conditional Super Administrators to:

Access Status > Dashboard page charts.

Run investigative and presentation reports on all users.

If an administrator is granted reporting permissions only, the Check Policy tool does not appear in the Toolbox.

Real-Time Monitor permissions allow Super Administrators to monitor all Internet activity for each Policy Server associated with the Forcepoint Security Manager.

Content Gateway direct access permissions allow Super Administrators to be logged on to the Content Gateway manager automatically via a button on the Settings > General > Content Gateway Access page in the Forcepoint Security Manager.

Only one administrator at a time can log on to a role with full policy or exceptions only permissions. Therefore, if an administrator is logged on to the Super Administrator role to perform policy or configuration tasks, other Super Administrators can log on with only reporting, auditor, or status monitor permissions in the role. Super Administrators also have the option to select a different role to manage.

To switch to another role after logon, go to the Role drop-down list in the Web Security toolbar and select a role.

Policy Management and Reporting permissions

Delegated administrators in policy management and reporting roles can be given any combination of the following permissions:

Full policy permissions allow delegated administrators to create and manage filter components (including custom categories and recategorized URLs), filters (category, protocol, and limited access), policies, and exceptions (black and white lists) for their managed clients.

Filters created by delegated administrators are restricted by the Filter Lock, which may designate some categories and protocols as blocked and locked. These categories and protocols cannot be permitted by delegated administrators. (As part of enforcing the Filter Lock, delegated administrators cannot give their managed clients password override permissions.)

Only one administrator at a time can log on to a role with policy permissions. Therefore, if an administrator is logged on to a role to perform policy tasks, other administrators in the role can log on with auditing (read-only), reporting, or Real-Time Monitor permissions only. Administrators who have been assigned to multiple roles also have the option to select a different role to manage.

To switch to another role after logon, go to the Role drop-down list in the Web Security toolbar and select a role.

Exceptions only permissions allow delegated administrators to create and manage exceptions for managed clients in their role. (Exceptions permit or block URLs for specified users, regardless of which policy normally governs their Internet access.)

Policies, filters, and filter components are hidden for delegated administrators with exceptions only permissions.

Deployment status permissions allow delegated administrators to review component status on the Status > Deployment page. Delegated administrators with deployment status permissions can also be granted permission to start components, stop components, or both.

Reporting permissions can be granted in either of 2 general categories: report on all clients, or report on only managed clients in the role.

Any delegated administrator with reporting permissions can be given access to the Status > Dashboard page, investigative reports, and the Settings pages used to manage Log Server and the Log Database.

Delegated administrators with the option to report on all clients can also be given access to presentation reports.

Real-Time Monitor permissions allow administrators to monitor all Internet activity for each Policy Server associated with the Forcepoint Security Manager.

Investigative reporting permissions

Administrators in investigative reporting roles can create investigative reports for managed clients in their role. (Clients' policies are managed in other roles.) They can also use the URL Category, URL Access, and Investigate User tools.

These administrators do not have access to presentation reports or Real-Time Monitor, but can optionally be allowed to view charts on the Status > Dashboard page.

Auditors

Any conditional Super Administrator or delegated administrator account can be granted Auditor permissions. An auditor can see most Web module features and functions, but cannot save any changes.

Instead of the OK and Cancel buttons that allow other administrators to cache or discard changes, Auditors are given a single Back button. The Save and Deploy button is disabled.