Customized role permissions

Configure customized permissions for the role as follows:

Steps

  1. Under Status, select the status reports to which this role should have access:
    • The Dashboard shows system alerts, statistics, and an incident summary over the last 24 hours.
    • The System Health screen enables you to monitor the performance of Forcepoint DLP servers and protectors.
    • The Endpoint Status screen summarizes the results of endpoint connectivity tests. (Not included in Forcepoint Web Security or Forcepoint Email Security.)
    • The Mobile Status contains details of the traffic being monitored by Forcepoint DLP over specific periods, such as data that has breached policies and the actions taken.
  2. Under Reporting, select the Data Loss Prevention & Mobile incident and reporting functions that this role should be able to access.
    • Select Summary reports to give administrators with this role access to data loss prevention summary reports.
    • Select Detail reports to give administrators with this role access to data loss prevention incident detail reports. When this option is selected, several more are made available:
      • Select View violation triggers to allow administrators to view the values that trigger violations.
      • Select View forensics to allow administrators to view forensics for this incident. (Users who aren’t allowed to see this confidential data cannot see a preview of the email message or the content of the transaction in other channels.)
      • Select Perform operations on incidents to allow administrators with this role to be able to perform all escalation, remediation, and workflow operations on data loss prevention or mobile incidents.
      • Select Export incidents to a PDF or CSV file to allow administrators with this role to bulk export DLP or mobile incidents from an incident report to a PDF or CSV file. Exports include all data in the current report.
    • Select Incident Risk Ranking reports to allow administrators with this role to access Incident Risk Ranking and My Case reports.
    • Select Hide source or select Destination to prevent administrators with this role from seeing source or destination information like user names and IP addresses. Instead, reports will show sources and destinations as unique IDs generated by the system.

      These permissions do not affect the source and destination fields in the syslog. Syslog always displays names.

      In addition, these permissions do not affect the source and destination fields in:
      • Incident Export - in order to prevent the administrators from viewing the source and destination, make sure the ‘All other general settings’ option is disabled.
      • Traffic Log - in order to prevent the administrators from viewing the information, make sure the ‘Traffic log’ option is disabled.
  3. Select the Discovery incident and reporting functions for this role. Discovery functions are not included in Forcepoint Web Security or Forcepoint Email Security.
    • Summary reports - Select this option to give administrators with this role access to discovery summary reports.
    • Detail reports - Select this option to give administrators with this role access to discovery detail reports. When this option is selected, more are made available:
      • View violation triggers - Select this option if you want the administrator to view the values that trigger discovery violations.
      • Perform operations on incidents - Select this option if you want administrators with this role to be able to perform all escalation, remediation, and workflow operations on discovery incidents.
      • Export incidents to a PDF or CSV file - Select this option if you want to allow administrators with this role to bulk export discovery incidents from an incident report to a PDF or CSV file. Exports include all data in the current report.
  4. Mark Send email notifications if administrators with this role should be notified when an incident is assigned to them.
  5. Under Policy Management, for each of the policy management functions, the administrator can select between the permission options:
    • Restricted - to hide the policy management option from the DATA Module menu. The administrator will not be able to access the function.
    • Read only - to show the policy management function, but the administrator will only be able to view it.
    • Edit - to allow the administrator to do the following for each policy management function:
      • Data loss prevention policies - By selecting Edit, the administrator can configure DLP policies for all channels as well as content classifiers and resources.
      • Discovery policies - By selecting Edit, the administrator can configure discovery policies, tasks, content classifiers, and resources.
      • Sample database records - By selecting Edit, the administrator can view sample database information when editing a database fingerprinting classifier, including database, Salesforce, and CSV classifiers.
        • This is offered on the Field Selection page of the fingerprinting wizard when you define the records to fingerprint. It allows you to verify that you’ve set up the classifier as intended. See Database Fingerprinting Wizard - Field Selection section for more details.
        • Administrators can always view sample data when creating a new classifier, but you may not want all administrators to view data set up by others. If you clear this box, this option is grayed out for administrators with this role.
      • Import/Export policies - By selecting Allow, the administrator can export and import policies from a source Forcepoint Security Manager system to another Forcepoint Security Manager system. By selecting Restricted, the administrator will not be able to access the function.
    Note:
    1. Sample database records cannot have higher permission than both Data loss prevention policies and Discovery policies.

      The permission must be at least equal to or lower than one out of the two Data loss prevention policies or Discovery policies. For example, the following will not apply:
      • Sample database records - Edit
      • Data loss prevention policies - Read only
      • Discovery policies - Read only
    2. Since Data loss prevention policies and Discovery policies can share the same resources, they can only have the same permission Read only or Edit permission.
  6. Under Logs, select the logs to which this role should have access.
    • The Traffic log contains details of the traffic being monitored by Forcepoint DLP over specific periods, such as data that has breached policies and the actions taken.
    • The System log displays system events sent from different Forcepoint components, for example Forcepoint DLP servers, protectors, or policy engines.
    • The Audit log displays actions performed by administrators in the system.
  7. Under Settings, select which General settings options administrators with this role should be able to access.
    • Services - Administrators can configure local and external services like Linking Service and Microsoft RMS.
    • Archive Partitions - Administrators can select incident partitions, then archive, restore or delete them.
    • Policy Updates - Administrators can update predefined policies to the latest version. All other general settings
    • Analytics - Administrators can configure settings used to calculate risk scores in the Incident Risk Ranking report.
    • All other general settings - Administrators can configure all other settings in the Settings > General menu.
  8. Indicate whether administrators in this role can configure Data Security module Authorization settings.
  9. Under Deployment, select which functions administrators with this role should be able to perform.
    • Manage system modules - Give this role the ability to register modules with the management server.
    • Manage endpoint profiles - Give this role the ability to view and edit endpoint profiles. Administrators can add new endpoint profiles, delete profiles, and rearrange their order. (Not included in Forcepoint Web Security or Forcepoint Email Security.)
    • Deploy settings - Give this role the ability to deploy configuration settings to all system modules.
  10. Click OK to save your changes.