Super Administrator permissions
The Super Administrator role can contain 2 types of administrators: unconditional Super Administrators and conditional Super Administrators.
To create an unconditional Super Administrator account, you can do either of the following on the page:
- Create a Global Security Administrator account.
- Select the Grant access and the ability to modify access permissions for other accounts option for the Web module.
Unconditional Super Administrators can:
- Access all system configuration settings in the Web module (managed via the Settings options).
- Add or remove administrators in the Super Administrator role.
- Create or edit the Filter Lock that blocks certain categories and protocols for all users managed by delegated administration roles. See Creating a Filter Lock.
- Manage policies for clients in the Super Administrator role, including the Default policy that applies to all clients not assigned another policy in any role.
- Create and run reports on all clients, regardless of which role they are assigned to.
- Access Real-Time Monitor.
- Review component status and stop or start components from the page.
- Review the audit log, which records administrator access to and actions within the Web module.
- (Forcepoint Web Security only) Open the Content Gateway manager via a button on the page and be logged on automatically, without having to provide credentials.
When an unconditional Super Administrator adds additional administrators to the Super Administrator role (via the page), the new administrators are granted conditional permissions.
Unlike unconditional Super Administrators, whose permissions cannot be changed, conditional Super Administrators can be granted a combination of policy management, reporting, and access permissions.
- Full policy permissions allow conditional Super Administrators to:
- Create and edit delegated administration roles, filter components, filters, policies, and exceptions, and to apply policies to clients that are not managed by any other role.
- Access database download, directory service, user identification, and Network Agent configuration settings. Conditional Super Administrators with reporting permissions can also access configuration settings for the reporting tools.
- Create and edit delegated administration roles, but not to delete roles or remove the administrators or managed clients assigned to them.
- Exceptions only permissions allow conditional Super Administrators to create and edit exceptions. (Exceptions permit or block URLs for specified users, regardless of
which policy normally governs their Internet access.)
Policies, filters, filter components, the Filter Lock, and all Settings pages are hidden for Super Administrators with exceptions only permissions.
- Reporting permissions allow conditional Super Administrators to:
- page charts.
- Run investigative and presentation reports on all users.
If an administrator is granted reporting permissions only, the Check Policy tool does not appear in the Toolbox.
- Real-Time Monitor permissions allow Super Administrators to monitor all Internet activity for each Policy Server associated with the Forcepoint Security Manager.
- Content Gateway direct access permissions allow Super Administrators to be logged on to the Content Gateway manager automatically via a button on the page in the Forcepoint Security Manager.
Only one administrator at a time can log on to a role with full policy or exceptions only permissions. Therefore, if an administrator is logged on to the Super Administrator role to perform policy or configuration tasks, other Super Administrators can log on with only reporting, auditor, or status monitor permissions in the role. Super Administrators also have the option to select a different role to manage.
To switch to another role after logon, go to the Role drop-down list in the Web Security toolbar and select a role.