Prioritizing group and domain policies

In some cases, organizations may prefer that policies applied to users, groups, and OUs take precedence over policies applied to IP addresses (computers and networks).

This might occur, for example, if both of the following are true:

  1. Group-based policies are used widely in the organization.
  2. The Account Override option (see Account override) is applied to IP addresses in the network.

When the default enforcement order is used, the IP address-based policy overrides any group-based policies, which could cause account override to fail frequently. When group and domain policies take precedence, the problem is avoided.

You can configure Filtering Service to prioritize directory policies (in other words, use the search order User > Group > Domain > Computer > Network to identify the policy to apply to a request).

When Filtering Service is installed on a Windows or Linux server:

Steps

  1. Navigate to the bin directory on the Filtering Service machine (C:\Program Files\Websense\Web Security\bin or /opt/Websense/bin/, by default).
  2. Open the eimserver.ini file in a text editor.
  3. Locate the [FilteringManager] section of the file, and add the following parameter:
    UserGroupIpPrecedence=true
  4. Save and close the file.
  5. Restart Filtering Service.
    • Windows: Use the Windows Services tool to restart Filtering Service.
    • Linux: Use the /opt/Websense/WebsenseDaemonControl command to restart Filtering Service.

Next steps

When Filtering Service is on an appliance, follow the instructions in this article Configuring Filtering Service via the Appliance API.