Delegated administration roles

A role groups clients—users, groups, domains (OUs), computers, and networks— with one or more administrators.

Clients in a delegated administration role are referred to as managed clients.
Administrators can perform different tasks (like managing policies or running reports) for managed clients in their role, based on their permissions.

The Web module of the Forcepoint Security Manager includes one predefined role: Super Administrator. Although it is not shown, admin, the Global Security

Administrator account, is a member of this role. The admin account cannot be deleted, nor can its permissions be changed.

Important: You cannot delete the Super Administrator role or the admin account.

Administrators assigned to the Super Administrator role have the ability to create roles, assign administrators and managed clients to roles, and determine the permissions for administrators in the role. Global Security Administrators can add administrators to the Super Administrator role.

Super Administrators can create 2 types of delegated administration and reporting roles:

Policy management and reporting: User policies are managed by administrators in the role. Administrators in the role can optionally also run reports.
Investigative reporting: Administrators can run investigative reports showing Internet activity for only managed clients in the role. Client policies are managed in one or more other roles.

Define as many additional roles as are appropriate for the organization. For example:

Create a role for each department, with the department manager as administrator and the department members as managed clients.
In a geographically distributed organization, create a role for each location and assign all the users at the location as managed clients of that role. Then, assign one or more individuals at the location as administrators.