advertisement
15
Delegated Administration and Reporting
Web Security Help | Web Security Solutions | Version 7.8.x
Delegated administration provides an effective way to distribute responsibility for
Web Security configuration, policy management, reporting, and compliance auditing to multiple individuals. For example:
Allow individual managers to set policies and run reports on users in their teams.
Give local administrators for regional offices or campuses policy management permissions, as well as some access to local configuration options, but limit reporting access to protect end-user privacy.
Ensure that Human Resources can run Internet activity reports on some or all clients, identified by user name or IP address.
Grant auditors access to view all configuration and policy management screens in the Web Security manager without the ability to save changes.
The sections that follow detail the main concepts of delegated administration, and then provide specific configuration and implementation instructions.
The fundamentals of delegated administration
Preparing for delegated administration
Managing delegated administration roles
Updating delegated administration roles
Performing delegated administrator tasks
Web Security Help
339
Delegated Administration and Reporting
The fundamentals of delegated administration
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Delegated administration roles
Delegated administration and reporting permissions
Administrators in multiple roles
Multiple administrators accessing the TRITON console
Before setting up delegated administration for your organization, there are 3 main concepts to understand:
Roles are containers used to group administrators and clients. There are 3 types
Delegated administration roles
Administrators are individuals or groups given responsibility for configuring
Web Security manager settings, managing policies for clients, running Internet activity reports, or auditing the system. An administrator’s set of responsibilities is determined by the role and permissions that the administrator is assigned. See
.
Permissions determine what responsibilities (like creating policies or running
reports) an administrator has within a role. The available permissions change
based on which type of role an administrator is assigned to. See
Delegated administration and reporting permissions
Delegated administration roles
Web Security Help | Web Security Solutions | Version 7.8.x
A role groups clients—users, groups, domains (OUs), computers, and networks— with one or more administrators.
Clients in a delegated administration role are referred to as managed clients.
Administrators can perform different tasks (like managing policies or running reports) for managed clients in their role, based on their permissions.
The Web Security manager includes one predefined role: Super Administrator.
Although it is not shown, admin, the Global Security Administrator account, is a member of this role. The admin account cannot be deleted, nor can its permissions be changed.
Important
You cannot delete the Super Administrator role or the admin account.
340
Websense Web Security Solutions
Delegated Administration and Reporting
Administrators assigned to the Super Administrator role have the ability to create roles, assign administrators and managed clients to roles, and determine the permissions for administrators in the role. Global Security Administrators can add administrators to the Super Administrator role.
Super Administrators can create 2 types of delegated administration and reporting roles:
Policy management and reporting: User policies are managed by administrators
in the role. Administrators in the role can optionally also run reports.
Investigative reporting: Administrators can run investigative reports showing
Internet activity for only managed clients in the role. Client policies are managed in one or more other roles.
Define as many additional roles as are appropriate for the organization. For example:
Create a role for each department, with the department manager as administrator and the department members as managed clients.
In a geographically distributed organization, create a role for each location and assign all the users at the location as managed clients of that role. Then, assign one or more individuals at the location as administrators.
Delegated administrators
Web Security Help | Web Security Solutions | Version 7.8.x
Administrators are the individuals who can access the TRITON console. Depending on their permissions, in the Web Security manager they may be able to:
Log on and view some elements of the Web Security Dashboard, but take no other actions.
Access all configuration and management features of the Web Security manager, but save no changes.
Run reports on specific groups of clients, or on all clients.
Manage policies for specific groups of clients.
Have full configuration access to all features of the Web Security manager.
The specific permissions available depend on the administrator’s role type (Super
Administrator, policy management and reporting, or investigative reporting). See
Delegated administration roles
Global Security Administrators (like admin) define administrator accounts in
TRITON Settings. These accounts may either be network logon accounts (defined in a supported directory service) or local accounts, used only to access TRITON. Once an account has been defined, the Global Security Administrator assigns each one a level of logon access to one or more TRITON modules.
The levels of Web Security access that can be granted to administrators are:
Access and account management, which grants unconditional Super
Administrator permissions (see
Delegated administration and reporting
Web Security Help
341
Delegated Administration and Reporting
Access, which allows the administrator to log on and view limited portions of the
Status > Dashboard and Alerts pages only. Super Administrators can add those administrators to roles to allow them some level of additional policy management access, reporting access, or both.
Any administrator account that has been granted access to the Web Security module appears on the Delegated Administration > View Administrator Accounts page. These accounts are also listed on the Delegated Administration > Edit Role > Add
Administrators page.
Only administrators that have already been granted Web Security access via TRITON
Settings can be added to roles.
Delegated administration and reporting permissions
Web Security Help | Web Security Solutions | Version 7.8.x
The permissions available to an administrator depend on whether the administrator is assigned to the Super Administrator role, a policy management and reporting role, or an investigative reporting role.
Super Administrator permissions
The Super Administrator role can contain 2 types of administrators: unconditional
Super Administrators and conditional Super Administrators.
When you create a Global Security Administrator account on the TRITON Settings >
Administrators page, or select the Web Security > Grant access and the ability to
modify access permissions for other accounts option, the account is automatically
added to the Super Administrator role in the Web Security manager with unconditional permissions.
Unconditional Super Administrators can:
Access all system configuration settings for Websense Web security solutions
(managed via the Settings tab).
Add or remove administrators in the Super Administrator role.
Create or edit the Filter Lock that blocks certain categories and protocols for all users managed by delegated administration roles. See
Manage policies for clients in the Super Administrator role, including the Default policy that applies to all clients not assigned another policy in any role.
Create and run reports on all clients, regardless of which role they are assigned to.
Access Real-Time Monitor.
Review component status and stop or start components from the Status >
Deployment page.
Review the audit log, which records administrator access to and actions within the
Web Security manager.
342
Websense Web Security Solutions
Delegated Administration and Reporting
(Web Security Gateway and Gateway Anywhere) Open the Content Gateway manager via a button on the Settings > General > Content Gateway Access page and be logged on automatically, without having to provide credentials.
When an unconditional Super Administrator adds additional administrators to the
Super Administrator role (via the Policy Management > Delegated Administration page in the Web Security manager), the new administrators are granted conditional permissions.
Unlike unconditional Super Administrators, whose permissions cannot be changed, conditional Super Administrators can be granted a combination of policy management, reporting, and access permissions.
Full policy permissions allow conditional Super Administrators to:
Create and edit delegated administration roles, filter components, filters, policies, and exceptions, and to apply policies to clients that are not managed by any other role.
Access database download, directory service, user identification, and
Network Agent configuration settings. Conditional Super Administrators with reporting permissions can also access configuration settings for the reporting tools.
Create and edit delegated administration roles, but not to delete roles or remove the administrators or managed clients assigned to them.
Exceptions only permissions allow conditional Super Administrators to create
and edit exceptions. (Exceptions permit or block URLs for specified users, regardless of which policy normally governs their Internet access.)
Policies, filters, filter components, the Filter Lock, and all Settings pages are hidden for Super Administrators with exceptions only permissions.
Reporting permissions allow conditional Super Administrators to:
Access Web Security Dashboard charts.
Run investigative and presentation reports on all users.
If an administrator is granted reporting permissions only, the Check Policy tool does not appear in the Toolbox.
Real-Time Monitor permissions allow Super Administrators to monitor all
Internet activity for each Policy Server associated with the Web Security manager.
Content Gateway direct access permissions allow Super Administrators to be
logged on to the Content Gateway manager automatically via a button on the
Settings > General > Content Gateway Access page in the Web Security manager.
Only one administrator at a time can log on to a role with full policy or exceptions
only permissions. Therefore, if an administrator is logged on to the Super
Administrator role to perform policy or configuration tasks, other Super
Administrators can log on with only reporting, auditor, or status monitor permissions in the role. Super Administrators also have the option to select a different role to manage.
To switch to another role after logon, go to the Role drop-down list in the Web
Security toolbar and select a role.
Web Security Help
343
Delegated Administration and Reporting
Policy Management and Reporting permissions
Delegated administrators in policy management and reporting roles can be given any combination of the following permissions:
Full policy permissions allow delegated administrators to create and manage filter
components (including custom categories and recategorized URLs), filters
(category, protocol, and limited access), policies, and exceptions (black and white lists) for their managed clients.
Filters created by delegated administrators are restricted by the Filter Lock, which may designate some categories and protocols as blocked and locked. These categories and protocols cannot be permitted by delegated administrators. (As part of enforcing the Filter Lock, delegated administrators cannot give their managed clients password override permissions.)
Only one administrator at a time can log on to a role with policy permissions.
Therefore, if an administrator is logged on to a role to perform policy tasks, other administrators in the role can log on with auditing (read-only), reporting, or Real-
Time Monitor permissions only. Administrators who have been assigned to multiple roles also have the option to select a different role to manage.
To switch to another role after logon, go to the Role drop-down list in the banner and select a role.
Exceptions only permissions allow delegated administrators to create and
manage exceptions for managed clients in their role. (Exceptions permit or block
URLs for specified users, regardless of which policy normally governs their
Internet access.)
Policies, filters, and filter components are hidden for delegated administrators with exceptions only permissions.
Deployment status permissions allow delegated administrators to review
component status on the Status > Deployment page. Delegated administrators with deployment status permissions can also be granted permission to start components, stop components, or both.
Reporting permissions can be granted in either of 2 general categories: report on
all clients, or report on only managed clients in the role.
Any delegated administrator with reporting permissions can be given access to the Web Security Dashboard, investigative reports, and the Settings pages used to manage Log Server and the Log Database.
Delegated administrators with the option to report on all clients can also be given access to presentation reports.
Real-Time Monitor permissions allow administrators to monitor all Internet
activity for each Policy Server associated with the Web Security manager.
Investigative reporting permissions
Administrators in investigative reporting roles can create investigative reports for managed clients in their role. (Clients’ policies are managed in other roles.) They can also use the URL Category, URL Access, and Investigate User tools.
344
Websense Web Security Solutions
Delegated Administration and Reporting
These administrators do not have access to presentation reports or Real-Time Monitor, but can optionally be allowed to view charts on the Web Security Dashboard.
Auditors
Any conditional Super Administrator or delegated administrator account can be granted Auditor permissions. An auditor can see most Web Security manager features and functions, but cannot save any changes.
Instead of the OK and Cancel buttons that allow other administrators to cache or discard changes, Auditors are given a single Back button. The Save and Deploy button is disabled.
Administrators in multiple roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Delegated administration roles
Delegated administration and reporting permissions
Depending on the needs of your organization, the same administrator may be assigned to multiple roles. Administrators assigned to multiple roles must choose a single role to manage at logon.
After logon, your permissions are as follows:
Policy management:
Full policy: You can add and edit filters and policies for the role selected
during logon, and apply policies to that role’s managed clients.
Exceptions only: You can create and manage exceptions for the role selected
during logon, and apply exceptions to that role’s managed clients.
Reporting: you have the combined reporting permissions of all your roles. For
example, suppose you are assigned to 3 roles, with reporting permissions as follows:
Role 1: no reporting
Role 2: investigative reporting only
Role 3: report on all clients, full access to all reporting features
In this situation, regardless of which role you choose during logon, you are permitted to view charts on the Web Security Dashboard, and report on all clients, using all reporting features.
If you are logged on for reporting only, the Role field in the banner bar indicates whether you have Full Reporting (report on all clients) or Limited Reporting
(report on managed clients only) permissions.
Web Security Help
345
Delegated Administration and Reporting
Multiple administrators accessing the TRITON console
Web Security Help | Web Security Solutions | Version 7.8.x
Administrators in different roles can access the Web Security manager simultaneously to perform whatever activities their role permissions allow. Since they manage different clients, they can create and apply policies without conflict.
The situation is different if administrators with policy permissions in the same role try to connect at the same time. Only one administrator at a time can log on with full policy or exceptions-only permissions in the shared role. If a second administrator tries to log on with full policy or exceptions-only permissions while another administrator logged on, the second administrator is given a choice:
Log on with read-only access (similar to temporary auditor permissions).
When this option is selected, the Role drop-down box shows “Role Name - [Read-
Only]” as the current role, and offers the option of switching to “Role Name”
(without any modifiers). This makes it possible to access the role with policy permissions when the role is no longer locked.
Log on for reporting only, if the administrator has reporting permissions.
Log on to a different role, if the administrator is assigned to any other roles.
Log on to view only the Status pages until the role becomes available (Limited
Status access).
Try again later, after the first administrator logs off.
Administrators who are not using their policy permissions can do one of the following to unlock the role and allow another administrator to log on to manage polices:
If generating reports, select Release Policy Permissions from the Role dropdown list.
When this option is selected, policy management features are hidden from the logged-on administrator, but reporting features remain active.
If monitoring system performance, select Status Monitor from the Role dropdown list.
Administrators in Status Monitor mode can access the Status > Dashboard and
Alerts pages, as well as Real-Time Monitor (if applicable). Their session does not time out.
If administrators in Status Monitor mode try to go to a page other than Dashboard,
Alerts, or Real-Time Monitor, they are prompted to log on again.
346
Websense Web Security Solutions
Delegated Administration and Reporting
Preparing for delegated administration
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
The fundamentals of delegated administration
Preparing delegated administrators
Managing delegated administration roles
Before creating delegated administration roles, there are 2 key planning and setup tasks for the Super Administrator to perform:
Review and edit the Filter Lock, which blocks specified categories and protocols for managed clients in all delegated administration roles. By default, the Filter
Lock blocks and locks several categories, so it is important to check the default settings against the requirements of your organization. (See
.)
Filter Lock restrictions are automatically enforced for all filters created in or copied to a delegated administration role, and cannot be modified by the delegated administrator.
Delegated administrators can apply any action to categories and protocols not blocked and locked in the Filter Lock.
Changes to the Filter Lock are implemented for all managed clients as soon as the changes are saved. Delegated administrators who are working in the Web
Security manager when the changes take effect will not see the changes in their filters until the next time they log on.
Filter Lock restrictions do not apply to clients managed by the Super
Administrator role.
Determine which Super Administrator policies and filters will be copied to each new role that you plan to create, and make adjustments to existing policies as needed.
By default, each role is created with a single Default policy, created from the
Default category and protocol filter (not the Default policy) currently configured for the Super Administrator role.
Optionally, you can instead copy all policy objects (policies, filters, custom categories, and custom URLs) from the Super Administrator role to the new role. The delegated administrator then starts with a complete set of policies and policy components.
• Copies of policies and filters in a delegated administration role are subject to the Filter Lock, and are therefore not identical to the same policies and filters in the Super Administrator role.
Web Security Help
347
Delegated Administration and Reporting
• When the Unrestricted policy is copied, the policy and filter names are changed to reflect the fact that they are subject to the Filter Lock, and no longer permit all requests.
Copying Super Administrator policy objects to a new role can take a very long time, depending on how much information must be copied.
Once these planning steps are completed, each of the following delegated administration components must be put into place:
1.
A Global Security Administrator creates administrator accounts on the TRITON
Settings > Administrators page, and grant the accounts the appropriate level of
Web Security access.
2.
A Super Administrator creates delegated administration roles on the Policy
Management > Delegated Administration page, then adds administrators and
managed clients to the roles. See
Managing delegated administration roles
3.
The Super Administrator notifies the delegated administrators that they have been granted administrative access to the Web Security manager, and explains their
Preparing delegated administrators
Creating a Filter Lock
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
The Policy Management > Filter Lock page lets you specify categories and protocols that are blocked for all managed clients in delegated administration roles.
Any category or protocol that is blocked in the Filter Lock is considered blocked and
locked.
Click the Categories button to block and lock specific categories or category elements (keywords and file types). See
Click the Protocols button to block and lock protocols, or to specify protocols that are always logged. See
.
348
Websense Web Security Solutions
Delegated Administration and Reporting
Locking categories
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Use the Policy Management > Filter Lock > Categories page to select the categories to be blocked and locked for all members of delegated administration roles.
You also can block and lock keywords and file types for a category.
1.
Select a category in the tree.
Delegated administration roles do not have access to custom categories created by the Super Administrators. Therefore, custom categories do not appear in this tree.
2.
Set the restrictions for this category in the box that appears beside the category tree.
Option
Lock category
Lock keywords
Lock file types
Apply to
Subcategories
Description
Blocks and locks access to sites in this category.
Blocks and locks access based on keywords defined for this category in each role.
Blocks and locks the selected file types for sites in this category.
Be sure to mark the check box for each file type to be blocked and locked.
Custom file types created by the Super Administrator are included on this list because they are available to delegated administration roles.
Applies the same settings to all subcategories of this category.
You can block and lock selected elements for all categories at once, if appropriate.
Select All Categories in the tree, and then select the elements to be blocked for all categories. Then, click Apply to Subcategories.
3.
When you are finished making changes, click OK to cache the changes and return to the Filter Lock page. Changes are not implemented until you click Save and
Deploy.
Web Security Help
349
Delegated Administration and Reporting
Locking protocols
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Use the Policy Management > Filter Lock > Protocols page to block and lock access to or lock logging of selected protocols for all clients managed by delegated administration roles.
Note
Protocol logging is associated with protocol usage alerts.
You cannot generate usage alerts for a protocol unless it is set for logging in at least one protocol filter. Enabling the
Lock protocol logging option through the Filter Lock
assures that usage alerts can be generated for the protocol.
See
Configuring protocol usage alerts
1.
Select a protocol in the tree.
Delegated administration roles do have access to custom protocols created by the
Super Administrator. Therefore, custom protocols do appear in this tree.
2.
Set the restrictions for this protocol in the box that appears beside the protocol tree.
Option
Lock protocol
Lock protocol logging
Apply to Group
Description
Blocks and locks access to applications and websites using this protocol.
Logs information about access to this protocol, and prevents delegated administrators from disabling logging.
Applies the same settings to all protocols in the group.
When you are finished making changes, click OK to cache the changes and return to the Filter Lock page. Changes are not implemented until you click Save and Deploy.
350
Websense Web Security Solutions
Delegated Administration and Reporting
Preparing delegated administrators
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
The fundamentals of delegated administration
Preparing for delegated administration
Performing delegated administrator tasks
After assigning individuals as administrators in any administrative role, make sure to give them the following information:
The URL for logging on to the TRITON console. By default: https://<TRITON_location>:9443/triton/
Substitute the IP address or hostname of the TRITON management server.
What Policy Server to select after logon, if applicable. In an environment with multiple Policy Server instances, administrators can select the Policy Server to use from the Web Security toolbar. They must select the Policy Server that is configured to communicate with the directory service that authenticates their managed clients.
Whether to use their network logon account or a local Websense account when logging on to the TRITON console. If administrators log on with local accounts, provide the user name and password.
Their permissions: to create and apply policies to clients in the role, generate reports, create policies and generate reports, or audit administrator tasks without implementing changes.
Advise administrators who have both policy and reporting permissions to consider what activities they plan to perform during the session. If they only plan to generate reports, recommend that they go to the Role field in the banner, and choose Release Policy Permissions. This frees the policy permissions for the role, enabling another administrator to access the Web Security manager and manage policy for that role.
How to find the list of clients managed by their role. Administrators can go to
Policy Management > Delegated Administration, and then click their role name to display the Edit Role page, which includes a list of managed clients.
Limitations imposed by the Filter Lock, if any categories or protocols have been blocked and locked.
The tasks that are generally performed by administrators. See
Performing delegated administrator tasks
.
Be sure to notify delegated administrators when you add or change custom file types and protocols. These components automatically appear in filters and policies for all roles, so it is important for those administrators to know when changes have been made.
Web Security Help
351
Delegated Administration and Reporting
Managing delegated administration roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
The fundamentals of delegated administration
Preparing for delegated administration
The Policy Management > Delegated Administration page offers different options, depending on whether it is viewed by a Super Administrator or a delegated administrator.
Super Administrators see a list of all the roles currently defined, and have the following options available.
Option
Add
Role
Delete
Advanced
Manage Role
Priority
View
Administrator
Accounts
Description
Click a role name to view or configure the role. See
.
Mark the check box next to a role name, then click the button to delete the selected roles. Available to unconditional Super
Administrators only.
, page 362, for information about how a
role’s clients are managed after the role is deleted.
Click to access the Manage Role Priority function.
Click to specify which role’s policy settings are used when the same client exists in multiple groups that are managed by
.
Click to see the local and network administrator accounts with Web Security manager access, and review their
permission level and role assignments. See
Reviewing administrator accounts
Delegated administrators see only the roles in which they are administrators, and have access to more limited options.
Option
Role
Description
Click to view the clients assigned to the role, and the specific
reporting permissions granted. See
.
352
Websense Web Security Solutions
Delegated Administration and Reporting
Adding roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Preparing for delegated administration
Managing delegated administration roles
Use the Delegated Administration > Add Role page to provide a name and description for the new role.
1.
Enter a Name for the new role.
The name must be between 1 and 50 characters long, and cannot include any of the following characters:
* < > ' { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,
Role names can include spaces and dashes.
2.
Enter a Description for the new role.
The description may be up to 255 characters. The character restrictions that apply to role names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).
3.
Specify the Role Type:
A Policy management and reporting role allows administrators the ability to create filters and policies and apply them to manage clients. Administrators in these roles may also be given permission to report on managed clients or all clients.
If you select this role type, also indicate whether or not to Copy all Super
Administrator policies, filters, and filter components to the new role. If
you select this option, the process of creating the role may take several minutes.
If you do not copy all Super Administrator policies to the role, a Default policy is created for the role that enforces the Super Administrator Default category and protocol filters.
An Investigative reporting role allows administrators to report on their managed clients only, using the investigative reports tool. Managed clients in an investigative reporting role may also be added to a policy management and reporting role.
4.
Click OK to display the Edit Role page and define the characteristics of this role.
See
.
If you created a policy management and reporting role, the new role is added to the Role drop-down list in the Web Security toolbar the next time you log on.
Web Security Help
353
Delegated Administration and Reporting
If you created an investigative reporting role, the name does not appear in the role drop-down. This reflects the fact that reporting permissions are cumulative (see
Administrators in multiple roles
Editing roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Managing delegated administration roles
Delegated administrators can use the Delegated Administration > Edit Role page to view the list of clients managed by their role, and the specific reporting permissions granted.
Super Administrators can use this page to select the administrators and clients for a role, and to set administrator permissions, as described below. Only unconditional
Super Administrators can delete administrators and clients from a role.
1.
Change the role Name and Description, as needed.
The name of the Super Administrator role cannot be changed.
2.
Add or remove administrators for this role (Super Administrators only).
Item
User Name
Description
Administrator’s user name.
Account Type Indicates whether the user is defined in the network directory service (Directory) or unique to the TRITON console
(Local).
Reporting
Real-Time
Monitor
Policy
Auditor
Give the administrator permission to use reporting tools.
Give the administrator permission to monitor all Internet activity for any Policy Server.
Give the administrator permission to create filters and policies, and apply policies to the role’s managed clients.
In the Super Administrator role, administrators with policy permission can also manage certain Websense configuration settings. See
Super Administrator permissions
.
Give the administrator permissions to see all of the features and functions available to other administrators in the role, but without the ability to save changes.
The check boxes for other permissions are disabled when
Auditor permissions are selected.
354
Websense Web Security Solutions
Delegated Administration and Reporting
Item
Add
Delete
Description
Open the Add Administrators page. See
.
Remove the selected administrators from the role.
Available to unconditional Super Administrators only.
Unconditional Super Administrator accounts can only be removed from the TRITON Settings > Administrators page.
3.
Add and delete Managed Clients for the role.
Changes can be made by Super Administrators only. Delegated administrators can view the clients assigned to their role.
Item
<Name>
Add
Delete
Description
Displays the name of each client explicitly assigned to the role. Administrators in the role must add the clients to the
Clients page before policies can be applied. See
Performing delegated administrator tasks
.
Opens the Add Managed Clients page. See
Available to unconditional Super Administrators only, this button removes from the role any clients marked in the managed clients list.
Some clients cannot be deleted directly from the managed
information.
4.
Use the Deployment Status Permissions area to indicate whether administrators in this role can Access the Status > Deployment page to see information about the status of the Web Security components in your deployment.
If you grant delegated administrators access to the page, also select whether they can Start components or Stop components.
5.
Use the Reporting Permissions area to select the features available to administrators in this role who have reporting access.
Web Security Help
355
Delegated Administration and Reporting a.
Choose the general level of reporting permissions:
Option
Report on all clients
Report on managed clients only
Description
Select this option to give administrators permission to generate reports on all network users.
Use the remaining options in the Reporting
Permissions area to set the specific permissions for administrators in this role.
Select this option to limit administrators to reporting on the managed clients assigned to this role. Then, select the investigative reports features these administrators can access.
Administrators limited to reporting on managed clients only cannot access presentation reports or user-based reports on the Web Security Dashboard.
b.
Mark the check box for each reporting feature that appropriate administrators in the role are permitted to use.
Option
Access presentation reports
Access the Web
Security Dashboard
Access the Threats dashboard
Access forensics data in the Threats dashboard
Access investigative reports
View user names in investigative reports
Description
Enables access to presentation reports features.
This option is available only when administrators can report on all clients. See
Enables display of charts showing Internet activity on the Risks, Usage, and System dashboards. See
If this option is deselected, administrators can view only the Health Alert and Value Estimates (if displayed) sections of the System dashboard.
Allows administrators to access charts, summary tables, and event details related to advanced malware threat activity in your network. See
.
With Websense Web Security Gateway or Gateway
Anywhere, allows administrators to view files associated with threat activity, and review information about attempts to send the files. See
Configuring forensics data storage
Enables access to basic investigative reports features. When this option is selected, additional investigative reports features can be selected, also.
Allows administrators in this role to view user
names, if they are logged. See
Configuring how requests are logged
.
Deselect this option to show only system-generated identification codes, instead of names.
This option is available only when administrators are granted access to investigative reports.
356
Websense Web Security Solutions
Delegated Administration and Reporting
Option
Save investigative reports as favorites
Schedule investigative reports
Manage the Log
Database
Access application reports
Description
Allows administrators in this role to create favorite investigative reports. See
Favorite investigative reports
This option is available only when administrators are granted access to investigative reports.
Allows administrators in this role to schedule investigative reports to run at a future time or on a repeating cycle.
Scheduling investigative reports
.
This option is available only when administrators are granted permissions to save investigative reports as favorites.
Allows administrators to access the Settings >
Reporting > Log Database page.
Log Database administration settings
Allows administrators to see browser, platform, and user agent data on the Reporting > Applications page.
.
6.
When you are finished making changes, click OK to cache the changes and return to the Delegated Administration page. Changes are not implemented until you click Save and Deploy.
Adding Administrators
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Super Administrators can use the Delegated Administration > Edit Role > Add
Administrators page to specify which individuals are administrators for a role.
Note
Administrators can be added to multiple roles. These administrators must choose a role during logon. In this situation, the administrator receives the combined reporting permissions for all roles.
Delegated administrators have significant control over the Internet activities of their managed clients. To ensure that this control is handled responsibly and in accordance
Web Security Help
357
Delegated Administration and Reporting with your organization’s acceptable use policies, Super Administrators should use the
Audit Log page to monitor changes made by administrators. See
Viewing and exporting the audit log
1.
If you plan to assign network accounts as delegated administrators, make sure you are logged on to the Policy Server whose Settings > General > Directory Service configuration (see
) matches the TRITON Settings >
User Directory configuration.
If you are adding only local accounts as administrators, you can be logged on to any Policy Server.
2.
Under Local Accounts, mark the check box for one or more users, and then click the right arrow button to move the highlighted users to the Selected list.
3.
Under Network Accounts, mark the check box for one or more users, and then click the right arrow (>) button to move them to the Selected list.
Note
Custom LDAP groups cannot be added as administrators.
4.
Set the Permissions for administrators in this role.
Option
Administrator:
Policy
Management
Administrator:
Reporting
Administrator:
Real-Time
Monitor
Auditor
Description
Let administrators in this role apply policies to their managed clients. This also grants access to certain Websense configuration settings.
Grant administrators access to reporting tools. Use the Edit
Role page to set the specific reporting features permitted.
Allow administrators to monitor Internet traffic in real time.
Give the administrator access to view all features available to other administrators in the role, without the ability to save changes.
5.
When you are finished making changes, click OK to return to the Edit Role page.
6.
Click OK on the Edit Role page to cache your changes. Changes are not implemented until you click Save and Deploy.
358
Websense Web Security Solutions
Delegated Administration and Reporting
Adding managed clients
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Managing delegated administration roles
Managed clients are the users and computers assigned to a role, whose policies are set by the role’s administrators. Directory clients (users, groups, and domains [OUs]), computers (individual IPv4 or v6 addresses), and networks (IPv4 or v6 address ranges) can all be defined as managed clients.
Super Administrators can use the Delegated Administration > Edit Role > Add
Managed Clients page to add as many clients to a role as needed. Each client can be
assigned to only one policy management and reporting role.
If you assign a network range as managed client in one role, you cannot assign individual IP addresses within that range to any other role. Additionally, you cannot specifically assign a user, group, or domain (OU) to 2 different roles. However, you can assign a user to one role, and then assign to a different role a group or domain
(OU) of which the user is a member.
Note
If a group is a managed client in one role, and that role’s administrator applies a policy to each member of the group, individual users in that group cannot later be assigned to another role.
When adding managed clients, consider which client types to include.
If you add IP addresses to a role, administrators for that role can report on all activity for the specified machines, regardless of who is logged on.
If you add users to a role, administrators can report on all activity for those users, regardless of the machine where the activity occurred.
Administrators are not automatically included as managed clients in the roles they administer, since that would enable them to set their own policy. To allow
administrators to view their own Internet usage, enable self-reporting (see
If your organization has deployed multiple Policy Servers, and the Policy Servers communicate with different directories, be sure to select the Policy Server connected to the directory containing the clients you want to add.
Note
Best practices indicate that all directory clients in the same role be defined in the same directory.
Web Security Help
359
Delegated Administration and Reporting
1.
Select clients for the role:
Under Directory, mark the check box for one or more users.
If your environment uses Active Directory (Native Mode) or another LDAPbased directory service, you can search the directory to find specific user,
group, or domain (OU) names. See
Searching the directory service
.
Under Computer, enter the IP address to be added to this role in IPv4 or IPv6 format.
Under Network, enter the first and last IP addresses in a range in IPv4 or IPv6 format.
2.
Click the right arrow (>) button adjacent to the client type to move the clients to the Selected list.
3.
When you are finished making changes, click OK to return to the Edit Role page.
4.
Click OK on the Edit Role page to cache your changes. Changes are not implemented until you click Save and Deploy.
Managing role conflicts
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Managing delegated administration roles
Directory services allow the same user to belong to multiple groups. As a result, a single user may exist in groups that are managed by different delegated administration roles. The same situation exists with domains (OUs).
Additionally, it is possible for a user to be managed by one role, and belong to a group or domain (OU) that is managed by a different role. If the administrators for both of these roles are logged on simultaneously, the administrator responsible for the user could apply policy to that user at the same time as the administrator responsible for the group applies policy to the individual members of the group.
Use the Delegated Administration > Manage Role Priority page to tell Websense software what to do if different policies apply to the same user because of an overlap.
When a conflict occurs, Websense software applies the policy from the role that appears highest on this list.
1.
Select any role on the list, except Super Administrator.
Note
The Super Administrator role is always first on this list. It cannot be moved.
2.
Click Move Up or Move Down to change its position in the list.
360
Websense Web Security Solutions
Delegated Administration and Reporting
3.
Repeat steps 1 and 2 until all roles have the desired priority.
4.
When you are finished making changes, click OK to cache the changes and return to the Delegated Administration page. Changes are not implemented until you click Save and Deploy.
Updating delegated administration roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Policies and managed clients are typically added to a role when the role is created.
Delegated administrators with policy permissions can edit existing policies and create new policies within the role that they manage.
As new members join the organization, a Super Administrator can add them to
).
Super Administrators can also move clients (see
Copying filters and policies to roles
, page 266 ) from the Super Administrator
role to an existing delegated administration role at any time.
When a client is moved to a delegated administration role, the policy applied in the Super Administrator role is also copied. During this copy process, the filters are updated to enforce the restrictions of the Filter Lock, if any.
In the target role, the tag “(Copied)” is added to the end of the filter or policy name. Administrators for that role can readily identify the new item and update it appropriately.
Encourage administrators in the role to rename the filters and policies, and to edit them as needed, to clarify their settings and to minimize duplicates. These changes can simplify future maintenance efforts.
After the client is moved to the new role, only an administrator in that role can modify the client’s policy or the filters it enforces. Changes in the original policy or filters in the Super Administrator role do not affect copies of the policy or filters in delegated administration roles.
When policies and filters are copied to a delegated administration role directly, the same constraints are enforced that apply when filters and policies are copied as part of moving a client.
Filter Lock restrictions are implemented during the copy.
Permit All category and protocol filters are renamed, and become editable filters subject to the Filter Lock.
Copied filters and policies are identified in the role by the (Copied) tag in the name.
Web Security Help
361
Delegated Administration and Reporting
Consider editing policy descriptions before starting the copy, to assure that they are meaningful to the administrators in the target roles.
Delete roles
Web Security Help | Web Security Solutions | Version 7.8.x
On the Delegated Administration page, unconditional Super Administrators can delete any roles that have become obsolete.
Deleting a role also removes all clients that the role’s administrators have added to the
Clients page. After the role is deleted, if those clients belong to any networks, groups, or domains managed by other roles, they are governed by the appropriate policy
). Otherwise, they are governed by the Super Administrator’s Default policy.
1.
On the Delegated Administration page, mark the check box beside each role to be deleted.
Note
You cannot delete the Super Administrator role.
2.
Click Delete.
3.
Confirm the delete request to remove the selected roles from the Delegated
Administration page. Changes are not permanent until you click Save and
Deploy.
The deleted role is cleared from Role drop-down list in the banner the next time you log on to the TRITON console.
Delete managed clients
Web Security Help | Web Security Solutions | Version 7.8.x
Clients cannot be deleted directly from the managed clients list (Delegated
Administration > Edit Role) if: the administrator has applied a policy to the client the administrator has applied a policy to one or more members of a network, group, or domain (OU)
There may also be problems if the Super Administrator is connected to a different
Policy Server than the one that communicates with the directory service containing the clients to be deleted. In this situation, the current Policy Server and directory service do not recognize the clients.
An unconditional Super Administrator can assure that the appropriate clients can be deleted, as follows.
362
Websense Web Security Solutions
Delegated Administration and Reporting
1.
Open the Policy Server list in the Web Security toolbar and make sure that you are connected to the Policy Server that communicates with the appropriate directory. You must be logged on with unconditional Super Administrator permissions.
2.
Open the Role list in the Web Security toolbar, and select the role from which managed clients are to be deleted.
3.
Go to Policy Management > Clients to see a list of all the clients to which the delegated administrator has explicitly assigned a policy.
This may include both clients that are specifically identified on the role’s managed clients list, and clients who are members of networks, groups, domains, or organizational units on the managed clients list.
4.
Delete the appropriate clients.
5.
Click OK to cache the changes.
6.
Open the Role list in the banner, and select the Super Administrator role.
7.
Go to Policy Management > Delegated Administration > Edit Role.
8.
Delete the appropriate clients from the managed clients list, and then click OK to confirm the delete request.
9.
Click OK on the Edit Role page to cache the changes. Changes are not implemented until you click Save and Deploy.
Managing Super Administrator clients
Web Security Help | Web Security Solutions | Version 7.8.x
Clients who are not specifically assigned to a delegated administration role are managed by Super Administrators. There is no Managed Clients list for the Super
Administrator role.
To apply policies to these clients, add them to the Policy Management > Clients page.
See
, page 84 . Clients who have not been assigned a specific policy are
governed by the Super Administrator Default policy.
There may be times when you cannot add clients to the Clients page. This can occur when the client is a member of a network, group, or domain (OU) that is assigned to another role. If the administrator of the other role has applied a policy to individual members of the network or group, those clients cannot be added to the Super
Administrator role.
Performing delegated administrator tasks
Web Security Help | Web Security Solutions | Version 7.8.x
Any delegated administrator who uses a Websense account (not their network credentials) to log onto the TRITON console can review account their account
Web Security Help
363
Delegated Administration and Reporting
information and change their password. See
.
Delegated administrators who have policy permissions can perform the following tasks.
View their role definition.
Navigate to the Policy Management > Delegated Administration page and click the role name. This brings up the Edit Role page, which lists the role’s managed clients and shows the reporting features available to administrators who have reporting permissions in the role.
Add clients to the Clients page
.
.
Apply policies to clients on the Clients page (see
Reporting permissions can be granted at a granular level. The specific reporting
permissions granted to your role determine which of the following tasks are available to administrators with reporting permissions.
To learn which features you can use, go to the Delegated Administration page and click the role name. The Edit Role page shows the reporting features for which you have permissions. For information about using any of those features, see:
View your user account
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Performing delegated administrator tasks
Add clients to the Clients page
If you log on to the TRITON console with network credentials, password changes are handled through your network directory service. Contact your system administrator for assistance.
If you have been assigned a local user name and password, view information about your account and change your password within the TRITON console.
1.
Click TRITON Settings in the TRITON toolbar, just under the banner.
The My Account page opens.
364
Websense Web Security Solutions
Delegated Administration and Reporting
2.
To change your password, first enter your current password, then enter and confirm a new password.
The password must be between 4 and 255 characters.
Strong passwords are recommended: 8 characters or longer, including at least one uppercase letter, lowercase letter, number, and special character (such as hyphen, underscore, or blank).
Click OK to save and implement the change.
3.
To see a list of roles that you can administrator, go to the Web Security manager
Policy Management > Delegated Administration > View Administrator Accounts page.
If you are assigned to manage only one role, its name appears in the list.
If you are assigned to manage multiple roles, click View next to your user name to see them listed.
4.
When you are finished, click Close to return to the Delegated Administration page.
Add clients to the Clients page
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Performing delegated administrator tasks
After Super Administrators assign managed clients to a role, delegated administrators
can add them to the Clients page and assign them policies. See
When clients are added to a managed clients list, their Internet requests are immediately subject to a policy in the role.
Clients previously assigned a policy within the Super Administrator role are governed by a copy of that policy in the new role. The Move to Role process automatically copies the applicable policy.
Clients not previously assigned a policy receive the new role’s Default policy.
Initially, this Default policy enforces a Default category and protocol filter copied from the Super Administrator role.
Any client that appears in the Managed Clients list on the Delegated Administration >
Edit Role page for your role can be added to the Clients page and assigned a policy.
For groups, domains (OUs), and networks assigned to the role, you can also can add:
Individual users who members of the group or OU
Individual computers that are members of the network
Web Security Help
365
Delegated Administration and Reporting
Because a user may be part of multiple groups or OUs, adding individuals from a larger client grouping has the potential to create conflicts when different roles manage groups our OUs with common members. If administrators in different roles access the
Web Security manager at the same time, they might add the same client (individual member of a group, for instance) to their Clients page. In that situation, policy enforcement for that client is governed by the priority established for each role. See
Create policies and filters
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Performing delegated administrator tasks
Add clients to the Clients page
When your role was created, it automatically inherited the current Default category filter and protocol filter from the Super Administrator role. A role-specific Default policy was created that enforces the inherited Default category and protocol filters.
(This role-specific Default policy is automatically applied to any client added to the role until another policy is assigned.)
The Super Administrator may have copied other policies and filters to your role, as well.
In addition to policies and filters, you also inherit any custom file types and protocols created by the Super Administrator.
You can edit inherited policies and filters. Changes you make affect your role only.
Any changes the Super Administrator later makes to the original policies and filters do not affect your role.
Note
Changes the Super Administrator makes to file types and protocols automatically affect the filters and policies in your role.
When a Super Administrator informs you of changes to these components, review your filters and policies to be sure they are handled appropriately.
You can also create as many new filters and policies as you need. Filters and policies created by a delegated administrator are available only to administrators logged on to your role. For instructions on creating policies, see
For instructions on creating filters, see
.
366
Websense Web Security Solutions
Delegated Administration and Reporting
You can edit filter components for your role, with some limitations.
Categories: Add or edit custom categories; assign custom URLs and keywords to
custom or Master Database categories; change the action applied by default in category filters. (Changes to a category’s default action are implemented only if the category is not locked by the Filter Lock.)
Protocols: Change the action applied by default in protocol filters in your role.
(Changes to a protocol’s default action are implemented only if the protocol is not locked by the Filter Lock.) Delegated administrators cannot add or delete protocol definitions.
File types: View the file extensions assigned to each file type. Delegated
administrators cannot add file types or change the extensions assigned to a file type.
.
If a Super Administrator has implemented Filter Lock restrictions, there may be categories or protocols that are automatically blocked, and cannot be changed in the filters you create and edit.
Reviewing administrator accounts
Web Security Help | Web Security Solutions | Version 7.8.x
Use the Delegated Administration > View Administrator Accounts page to:
See a list of local and network accounts that have been given Web Security access by a Global Security administrator.
Check the level of permissions assigned to each account.
See a list of roles associated with each account.
If an account has been added to a single role as an administrator, that role is listed to the right of the account name. If the account can be used to manage multiple roles, click View to see the roles listed
Delegated administrators see account information for only their own account, and not for all accounts.
When you are finished reviewing administrator accounts, click Close to return to the
Delegated Administration page.
Enabling network accounts
Web Security Help | Web Security Solutions | Version 7.8.x
Global Security Administrators can use the TRITON Settings > User Directory page to enter the directory service information needed to allow administrators to log on to the TRITON console with their network credentials.
Web Security Help
367
Delegated Administration and Reporting
This task is done in addition to the configuration done by Web Security Super
Administrators to define the directory service used to identify user and group clients.
Note
Client directory service information is configured on the
Settings > Directory Services page (see
).
TRITON administrators’ network credentials must be authenticated against a single directory service. If your network includes multiple directories, a trusted relationship must exist between the directory specified in TRITON Settings and the others.
If it is not possible to define a single directory service for use with the TRITON
Unified Security Center, consider creating local accounts for administrators.
Specific instructions for defining the directory used to authenticate administrator logons can be found in the TRITON Settings Help.
368
Websense Web Security Solutions
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project