Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Identifying users
Identifying users
Getting Started Guide | Forcepoint Web Security Cloud
Once you have completed the initial setup, a single policy applies enforcement to all traffic from your organization's egress IP. In order to implement per-user or per-group policy enforcement, Forcepoint Web Security Cloud must identify specific users. User identification also allows the service to log individuals' internet usage and provide user-based and group-based reporting.
This section discusses the options available for registering users with the service and identifying users when they access the proxy.
Policy selection by IP address
When the cloud service receives a web request, it first identifies the source of the request in order to find the user's account. If the request comes from an IP address that is defined as a connection in a policy, the service identifies the account, and, by default, applies the settings in that policy.
If you wish, you can define additional policies with different connection addresses, which can apply enforcement to different parts of your organization (as identified by egress IP). This is an easy way to apply different policy settings to different geographical offices, or network segments.
User authentication is always required for roaming users (those connecting from an unknown IP address), in order to identify the user's account and ensure that the user is entitled to access the service.
Add IP addresses to your policies in the cloud portal via Web > Policy Management > Policies, using the Connections tab.
Policy selection by user
In order to implement user- or group-level control of your organization's web browsing, the service must be able to identify specific users when they request a web resource.
The process by which this occurs is as follows:
If the connection-based policy requires authentication (defined on the Access Control tab), the service will then identify the user.
In order for this to occur, users must be registered with the service, and user authentication must be configured in your policy. See the sections that follow:
User registration methods
You can register users with the service, and assign those users to policies, in a number of ways. User registration methods are as follows:
These methods are outlined below.
Identity management
Registering your users via identity management is the most flexible and scalable option for user management.
We recommend that your synchronization includes:
For advice on configuring identity management, see Planning for your first synchronization in the Web Security Cloud help.
Once you have synchronized your users and groups, assign groups to the relevant policy via the End Users tab of the policy.
Registering by invitation
If you cannot use identity management, you can invite users to register via an option on the End Users tab of a policy. Users can be invited individually by email address, or in bulk via a CSV file. This option may be useful for users on your network who do not appear in your directory, such as third-party contractors.
When end users are invited, an email is sent inviting the user to create a password before using the service. Users are added to the policy after completing registration.
For further information, see Registering by invitation in the Web Security Cloud help.
Self registration
You can add email domains to your policies in order to allow users to self-register with the service using their email address. For example, if your users have email addresses in the form 'user@yourcompany.com', add 'yourcompany.com'. Add domains on the End Users tab of your policy, under Self Registration. Users registering using an email address at this domain will be assigned to the policy.
Domains can also be added at the account level, via Web > Settings > Domains. This allows you to associate the domain with all policies, allowing users to self-register to any policy in your account. The actual policy the user is assigned depends on the connection from which they connect - if this matches a proxied connection in a policy, the user is registered to that policy. Users connecting from unknown IP addresses are added to a default policy you can select. (See Configure Domain settings in the Web Security Cloud help.)
Users can self-register by clicking Register on the default logon page shown when they first attempt to browse, or by navigating directly to the self-registration URL:
For further information, see End user self-registration in the Web Security Cloud help.
Managing user policy assignment
If you are using identity management, assign groups to the relevant policy via the End Users tab of the policy. Under Identity Management, click Modify list of groups, and select the groups that should be assigned to the policy.
User assignment to policies can be overridden per user by editing the user via the Accounts > End Users page.
You can also add users to policies using a CSV file. Navigate to Web > Policies. Upload a file under Policy Assignment.
Managing policy assignment via your directory
If you are using identity management you can manage user policy assignment entirely using your identity provider or LDAP directory. Once you have synchronized your users, assign groups to your policies as required.
On the Account > Identity Management screen, click Edit. For the User policy assignment setting, ensure Follow group membership is selected.
With this setting applied, moving users to a different group will automatically update their policy assignment in the portal.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Identifying users
Copyright 2022 Forcepoint. All rights reserved.