Policy Management and Reporting permissions

Delegated administrators in policy management and reporting roles can be given any combination of the following permissions:

  • Full policy permissions allow delegated administrators to create and manage filter components (including custom categories and re-categorized URLs), filters (category, protocol, and limited access), policies, and exceptions (black and white lists) for their managed clients.

    Filters created by delegated administrators are restricted by the Filter Lock, which may designate some categories and protocols as blocked and locked. These categories and protocols cannot be permitted by delegated administrators. (As part of enforcing the Filter Lock, delegated administrators cannot give their managed clients password override permissions.)

    Only one administrator at a time can log on to a role with policy permissions. Therefore, if an administrator is logged on to a role to perform policy tasks, other administrators in the role can log on with auditing (read-only), reporting, or Real- Time Monitor permissions only. Administrators who have been assigned to multiple roles also have the option to select a different role to manage.

    To switch to another role after logon, go to the Role drop-down list in the Web Security toolbar and select a role.

  • Exceptions only permissions allow delegated administrators to create and manage exceptions for managed clients in their role. (Exceptions permit or block URLs for specified users, regardless of which policy normally governs their Internet access.)

    Policies, filters, and filter components are hidden for delegated administrators with exceptions only permissions.

  • Deployment status permissions allow delegated administrators to review component status on the Status > Deployment page. Delegated administrators with deployment status permissions can also be granted permission to start components, stop components, or both.
  • Reporting permissions can be granted in either of 2 general categories: report on all clients, or report on only managed clients in the role.
    • Any delegated administrator with reporting permissions can be given access to the Status > Dashboard page, investigative reports, and the Settings pages used to manage Log Server and the Log Database.
    • Delegated administrators with the option to report on all clients can also be given access to presentation reports.
  • Real-Time Monitor permissions allow administrators to monitor all Internet activity for each Policy Server associated with the Forcepoint Security Manager.