Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Delegated Administration and Reporting > The fundamentals of delegated administration > Delegated administration and reporting permissions
Delegated administration and reporting permissions
Administrator Help | Forcepoint Web Security and Forcepoint URL Filtering | v8.5.x
The permissions available to an administrator depend on whether the administrator is assigned to the Super Administrator role, a policy management and reporting role, or an investigative reporting role.
Super Administrator permissions
The Super Administrator role can contain 2 types of administrators: unconditional Super Administrators and conditional Super Administrators.
To create an unconditional Super Administrator account, you can do either of the following on the Global Settings > Administrators page:
*
*
Select the Grant access and the ability to modify access permissions for other accounts option for the Web module.
Unconditional Super Administrators can:
*
*
*
*
*
*
*
*
*
(Forcepoint Web Security only) Open the Content Gateway manager via a button on the Settings > General > Content Gateway Access page and be logged on automatically, without having to provide credentials.
When an unconditional Super Administrator adds additional administrators to the Super Administrator role (via the Policy Management > Delegated Administration page), the new administrators are granted conditional permissions.
Unlike unconditional Super Administrators, whose permissions cannot be changed, conditional Super Administrators can be granted a combination of policy management, reporting, and access permissions.
*
Full policy permissions allow conditional Super Administrators to:
*
*
*
*
Exceptions only permissions allow conditional Super Administrators to create and edit exceptions. (Exceptions permit or block URLs for specified users, regardless of which policy normally governs their Internet access.)
Policies, filters, filter components, the Filter Lock, and all Settings pages are hidden for Super Administrators with exceptions only permissions.
*
Reporting permissions allow conditional Super Administrators to:
*
*
If an administrator is granted reporting permissions only, the Check Policy tool does not appear in the Toolbox.
*
Real-Time Monitor permissions allow Super Administrators to monitor all Internet activity for each Policy Server associated with the Forcepoint Security Manager.
*
Content Gateway direct access permissions allow Super Administrators to be logged on to the Content Gateway manager automatically via a button on the Settings > General > Content Gateway Access page in the Forcepoint Security Manager.
Only one administrator at a time can log on to a role with full policy or exceptions only permissions. Therefore, if an administrator is logged on to the Super Administrator role to perform policy or configuration tasks, other Super Administrators can log on with only reporting, auditor, or status monitor permissions in the role. Super Administrators also have the option to select a different role to manage.
To switch to another role after logon, go to the Role drop-down list in the Web Security toolbar and select a role.
Policy Management and Reporting permissions
Delegated administrators in policy management and reporting roles can be given any combination of the following permissions:
*
Full policy permissions allow delegated administrators to create and manage filter components (including custom categories and recategorized URLs), filters (category, protocol, and limited access), policies, and exceptions (black and white lists) for their managed clients.
Filters created by delegated administrators are restricted by the Filter Lock, which may designate some categories and protocols as blocked and locked. These categories and protocols cannot be permitted by delegated administrators. (As part of enforcing the Filter Lock, delegated administrators cannot give their managed clients password override permissions.)
Only one administrator at a time can log on to a role with policy permissions. Therefore, if an administrator is logged on to a role to perform policy tasks, other administrators in the role can log on with auditing (read-only), reporting, or Real-Time Monitor permissions only. Administrators who have been assigned to multiple roles also have the option to select a different role to manage.
To switch to another role after logon, go to the Role drop-down list in the Web Security toolbar and select a role.
*
Exceptions only permissions allow delegated administrators to create and manage exceptions for managed clients in their role. (Exceptions permit or block URLs for specified users, regardless of which policy normally governs their Internet access.)
Policies, filters, and filter components are hidden for delegated administrators with exceptions only permissions.
*
Deployment status permissions allow delegated administrators to review component status on the Status > Deployment page. Delegated administrators with deployment status permissions can also be granted permission to start components, stop components, or both.
*
Reporting permissions can be granted in either of 2 general categories: report on all clients, or report on only managed clients in the role.
*
*
*
Real-Time Monitor permissions allow administrators to monitor all Internet activity for each Policy Server associated with the Forcepoint Security Manager.
Investigative reporting permissions
Administrators in investigative reporting roles can create investigative reports for managed clients in their role. (Clients' policies are managed in other roles.) They can also use the URL Category, URL Access, and Investigate User tools.
These administrators do not have access to presentation reports or Real-Time Monitor, but can optionally be allowed to view charts on the Status > Dashboard page.
Auditors
Any conditional Super Administrator or delegated administrator account can be granted Auditor permissions. An auditor can see most Web module features and functions, but cannot save any changes.
Instead of the OK and Cancel buttons that allow other administrators to cache or discard changes, Auditors are given a single Back button. The Save and Deploy button is disabled.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Delegated Administration and Reporting > The fundamentals of delegated administration > Delegated administration and reporting permissions
Copyright 2018 Forcepoint. All rights reserved.