Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Delegated Administration Quick Start : Create Web delegated administration roles
Create Web delegated administration roles
Delegated Administration | Web Protection Solutions | v8.4.x, v8.5.x | 29-Apr-2022
Delegated administration roles are made up of any number of related clients (directory, computer, or network) and the administrators who manage their policies, run reports on their Internet usage, or both. There are 2 role types:
*
Policy management and reporting: User policies are managed by administrators in the role. Administrators in the role can optionally also run reports, either on clients in the role, or on all clients.
Clients can be added to only one policy management and reporting role.
*
Investigative reporting: Administrators can run investigative reports showing Internet activity for only managed clients in the role. Client policies are managed in other roles.
Clients can be added to multiple investigative reporting roles.
A role can include multiple administrators, and different administrators within a role can have different privileges. For example, the Intern policy management and reporting role might have one administrator responsible for creating policies, but who does not have any reporting permissions, and another administrator responsible for running weekly or monthly reports on Internet usage by clients in the role, but with no policy permissions.
Super Administrators manage policy for those clients not assigned to a delegated administration role.
To create a role:
1.
In the Security Manager, go to the Main > Policy Management > Delegated Administration page. A list of existing roles is displayed. Initially, this shows only the Super Administrator role.
2.
Click Add.
3.
Provide a Role Name and Description, and then specify the role type.
*
The role type determines the permissions that can be granted to administrators in the role.
*
If you are creating a policy management and reporting role, indicate whether to copy all Super Administrator policies, filters, and filter components to the new role.
If this option is not selected, only one policy is created for the role: a Default policy that enforces a copy of the Super Administrator's Default category and protocol filters.
4.
Click OK to continue to the Edit Role page, where you can define the administrators and clients in the role.
Add administrators to the role
To add delegated administrators:
1.
Click the Add button below the Administrators list.
2.
Select administrators to add to the role, and then click the appropriate right-arrow button to add them to the Selected list.
3.
If you have created a policy management and reporting role, use the Policy management, Reporting, and Real-Time Monitor check boxes to indicate which general permissions the selected administrators should have. If you grant policy permissions, also select a radio button:
*
Full policy permissions allow administrators to create and manage policies, filters, filter components, and exceptions for their managed clients.
*
Exceptions only permissions allow administrators to create exceptions that permit or block specific URLs for managed clients, but not to create or edit policies, filters, or filter components.
*
Auditor permissions allow administrators read-only access to the policy management features accessible to administrators with full policy permissions in the role.
If you have created an investigative reporting role, there are no permissions to configure on this page.
4.
Click OK to return to the Edit Role page.
5.
Refine permissions for administrators in the role as follows:
*
For policy management and reporting roles, optionally update the permissions granted to an administrator using the Policy Management drop-down list and the Reporting and Real-Time Monitor check boxes in the Administrators list.
Under Deployment Status Permissions, specify whether administrators can view the Status > Deployment page, and whether they can use the page to start and stop components.
Under Reporting Permissions, specify which reporting tools administrators with reporting permissions can access.
*
For investigative reporting roles, use the Reporting Permissions check boxes to determine what reporting features are available to administrators in the role. Options that require permissions to report on all clients are disabled.
When you are finished adding administrators, continue with Add clients to the role.
Add clients to the role
To add clients to the role:
1.
Click the Add button under the Managed Clients list to add clients to the role.
2.
Select or enter clients to add, and then click the right-arrow button to move them to the Selected list.
*
Expand the Directory Entries tree to browse your directory service for users, groups, and domains (OUs). Mark the check box next to an entry to select it.
*
Enter individual IP addresses or IP address ranges to add as computer and network clients in this role.
 
* 
Important 
Clients can be added to only one policy management and reporting role.
*
IP addresses and ranges added to one role cannot overlap IP addresses and ranges already added to other roles.
*
If a user belongs to 2 groups, each of which is in a separate role, you can configure which role's policy takes precedence. See the Administrator Help for details.
3.
Click OK to return to the Edit Role page.
When you are finished making changes to the role, click OK to return to the Delegated Administration page, and then click Save All or Save and Deploy to implement your changes.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Delegated Administration Quick Start : Create Web delegated administration roles
Copyright 2022 Forcepoint. All rights reserved.