Understanding Admin Roles

The Admin Roles page is where Forcepoint ONE SSE admins can create different and unique admin roles to assign to users or groups. The role permissions can allow users to Edit, View, or Disabled (hidden) to each individual tab and the sub-component within the tab.

It is important to not try to layer admin roles by assigning roles to groups and to individual users that are part of those groups. Meaning if you want a user to individually have a specific admin role (for example, the sys admin role) it is important that the user is not assigned to a group with a different admin role. Forcepoint ONE SSE will display an error on the user's profile if there is a role conflict due to the user being assigned to multiple groups with admin roles.

Default Administrative Roles

The very first account created in the admin portal is set to a System Administrator role. System Administrators have the most control of any account type and are generally used to setup, manage, and modify settings for the entire company that they are part of.

  • Multiple System Administrators are allowed to be configured. A minimum of two should be created for a live deployment (one for nominal tasks and the other as a backup). If you are deploying the AD Sync Agent, you should have a separate user account with System Administrator access to operate correctly.
  • System Administrators are limited to local authentication only. This is intentional and allows access to settings in case a 3rd party (SSO or AD) authentication method fails and needs to be changed. As a System Administrator, you can still login to the user portal, however, it is generally desirable to have a separate user account.
  • The Admin portal timeout is set separately from the user timeout. You can adjust the default timeout by navigating to IAM > Admin Roles page and modifying the Max Session Timeout value in minutes.

Custom Admin Roles

  • Custom Admins Roles can be limited by Read/Write, Read, or Deny access to each tab. New Applications can only be created by System Admins while custom admins do not have this privilege. Custom admins can only modify Polices and Objects under Applications.

    Restrictive access to selective Groups or Policies can be added into roles. For example, a role could be created which only has access to modify users in the Production Users group, while all other groups would be inaccessible.

  • Custom Admins are allowed to have any authentication type, unlike System Administrators. They will be locked out if there is a problem with 3rd party authentication.
  • The Admin portal timeout is set separately from the user timeout. You can adjust the default timeout by navigating to IAM > Admin Roles page and modifying the Max Session Timeout value in minutes.