Configuring permissions

By default, all rights are assigned to the master user (the initial contact established in your account, with super administrator privileges). When the master user creates a new user, by default only the View All Reports permission is assigned to that account. This is the minimum permission a user needs to be able to log on; it grants permissions over only the Reporting tab on the main menu bar.

We provide flexible users’ rights so you can create a hierarchy of administrators. For example, much of the functionality accessed from the portal is useful for help desk agents to aid with problem isolation; but they do not necessarily require control over policy configuration.

Likewise, you should assign Directory Synchronization privileges to the contact you set up for the Directory Synchronization Client (see Set up authentication (Directory Synchronization only)) but no-one else should need this privilege.

Permissions are granted at an account and policy level. This lets you create multiple policies, and administrators can control their own policy but no one else’s.

Note: Visibility for some account and policy permissions depends upon the permission being assigned to your administrator account. If your administrator account does not have full account level permissions, you are only able to view or modify settings for policies you have been explicitly given permissions to. For example, full account level permission is required to access the Global Custom Category list.

To modify an administrator user’s permissions:

Steps

  1. On the Account > Contacts page, click the name of the user whose permissions you want to edit in the User Name column of the Contacts table (not the Full Name column).
  2. Click Edit.
  3. Under Account Permissions, mark or clear check boxes to add or remove permissions.
    Refer to the list below for more information about each permission set.
  4. Use the Policy Permissions table to add or remove policy, audit trail, and related permissions.
    • Refer to the list below for information about each permission set.
    • To refine policy-level permissions, click Advanced.
    Note: The Advanced button does not show for contacts with Manage Users permissions, because their selected permissions will apply to all policies.
  5. Use the Group Filtering for Cloud Web Reporting options to restrict reporting access to selected groups.
    • When you select one or more groups, only the users in those groups are visible in the reports that the selected administrator can run.
    • Group filtering can be combined with the View Filtered Reports option for a Web policy: for example, a user can view only reports that apply to the IT and Engineering groups in the Default policy.
    Note: The Group Filtering for Cloud Web Reporting option may not be enabled in your account.
  6. When you are finished, click Save.

    The following are account-level permissions:

    • Manage Users: view, create, edit, and remove user logons and permissions
    • Directory Synchronization: synchronize an LDAP directory with the cloud service
    • View All Reports: run all reports associated with the licensed services
    • View Data Security Reports: view data security reports, which may or may not contain incident forensics and trigger data, depending on your privacy protection settings
    • Manage edge devices: configure edge devices in the network that connect to the cloud service (see Managing Network Devices)
    • Log Export: export SIEM data when using Forcepoint storage (see Running the SIEM log file download script for Forcepoint storage) or download full traffic logs, if Full Traffic Logging is available for your account (see Configure Full Traffic Logging settings)

    The following web permissions can be assigned at an account or policy level:

    • Modify Configuration: modify all options within Account Settings except users’ logons which requires Manage Users permissions (required to access the Neo management portal)
    • View Configuration: view all configurations within Setup, without the ability to make changes
    • View Configuration Audit Trail: access and search the policy setup audit trail
    • View Filtered Reports: view only reports that can be filtered by the specified policy or policies (not available if View All Reports is selected)
    Note: The View Filtered Reports and View Data Security Reports options may not be enabled in your account.

    Users with any of these permissions can access the web service non-policy-specific configuration options.

    Note: If users are logged on to the portal when their permissions are changed, the changes do not take effect until they log off and then log on again.