Creating custom Admin Roles

Forcepoint ONE SSE comes with a default System Administrator role. The System Administrator role has full rights to the portal.

This role can also be assigned to local users or local groups, and it is recommended that you have at least two additional user with System Administrator rights. Also, only users assigned the System Administrator role can create custom administrator roles.

Steps

  1. Navigate to IAM > Admin Roles.
  2. To create a new Admin Role, click the green plus icon at the top right-hand corner.


    Add Admin Role dialog box opens.

  3. Enter a name for the role in the Name field.
  4. Adjust the access controls as needed.

    Admin Roles can be given Edit, View, or be Disabled from viewing any of the main tabs or subsequent pages.

    1. To restrict which domains or groups that role admins can view inside of the Forcepoint ONE SSE, click the applicable option under Users and Groups section:
      • Email Domains - To restrict role admins to view information about users and groups only from the selected email domains in IAM > Users and Groups page as well as within the logs.
      • Groups - To restrict role admins to view information about users and groups only from the selected groups in IAM > Users and Groups page as well as within the logs.


      For example, if a user account was restricted to only see the Sales group, then when reviewing the IAM > Users and Groups page, they will only see users belonging to the Sales group and will only see log event information under the Analyze > Logs pages from the Sales group.
    2. To restrict role admins to see information by the specific application on the Protect > Policies page and within the logs page, click the Selected option and then adjust the access controls as needed.


      For example, if you have Microsoft 365 and Dropbox as applications, but the role only has access to Microsoft 365, then the user with that role will only see the Microsoft 365 app on the Protect > Policies page and will only see event information related to Microsoft 365 under the Analyze > Logs pages. They will not see any information or events pertaining to Dropbox.
    If you have an admin role that is restricting edit/view access to specific email domains and/or user/groups as well as specific applications, then that role will only be able to view information that matches both of those restrictions. For example, restricting to the Sales group and Microsoft 365 will mean that role will only see and/or edit the Microsoft 365 app and will only see log information from Sales group members in Microsoft 365 but no other applications even if those members belong to other apps such as Dropbox.
  5. To hide location information of users from role admins, click Hide user location information in logs and reports checkbox.
  6. Review the access controls and click Save.
    The created Admin Role appears in IAM > Admin Roles page.

Next steps

You can assign the created custom Admin Role while editing the users and groups in IAM > Users and Groups page.