48
TRITON - Web Security Help
283
Delegated Administration
3. Select a Directory service type from the list.
If you have imported your settings from the Directory Services page, use the
information below to verify that the configuration is correct.
If you select the default, Windows NT Directory / Active Directory (Mixed Mode),
no further configuration is needed. Click OK to cache your changes. Changes are not
implemented until you click Save All.
If you select Active Directory (Native Mode) or Other LDAP Directory, provide
the following additional information:
1. Enter the IP address or name of the machine on which the directory service is
installed.
If you are using Active Directory (Native Mode), and you have configured your
global catalog servers for failover, you can instead enter the DNS domain name.
2. Enter the Port used for directory service communication.
3. To encrypt communication with the directory service, mark Use SSL.
4. Enter the User distinguished name and Password that Websense software
should use to connect to the directory service.
5. Enter the Default domain context that Websense software should use when
authenticating administrators, unless you are using Active Directory (Native
Mode), and have specified a communications port of 3268 or 3269.
In this latter case, leave the field blank.
6. Do one of the following:
If you are using Active Directory (Native Mode), configuration is complete.
Click OK to cache your changes. Changes are not implemented until you
click Save All.
If you are using another LDAP-based directory service, continue.
7. Supply the User logon ID attributes and the User search filter, if any, that
Websense software should use to speed user authentication.
This information also appears on the Settings > Directory Services page, under
Advanced Directory Settings. You can copy and paste the values, if needed.
8. Under Group Options, specify whether or not your LDAP schema includes the
memberOf attribute:
If memberOf is not used, specify the User group search filter that Websense
software should apply to authenticate administrators.
If memberOf is used, specify the Group attribute that should be applied.
9. If your LDAP schema includes nested groups, mark Perform additional nested
group search.
10.If your directory service uses LDAP referrals, indicate whether Websense
software should use or ignore the referrals.
11. Click OK to cache your changes. Changes are not implemented until you click
Save All.
C# WPF PDF Viewer SDK to annotate PDF document in C#.NET Text box. Click to add a text box to specific location on PDF page. Line color and fill can be set in properties. Copyright © <2000-2016> by <RasterEdge.com>.
create pdf fillable form; create a pdf form to fill out and save
37
Delegated Administration
284
Websense Web Security and Websense Web Filter
Add network accounts
Use the Delegated Administration > Manage Administrator Accounts > Add
Network Account page to add user and group clients defined in a supported directory
service as TRITON - Web Security administrators.
Expand the Directory Entries folder to browse the directory or click Search (LDAP-
based directory services only) to find the accounts that you want to add as TRITON -
Web Security administrators.
If you choose to search the directory, enter all or part of the account name, and then
specify whether to search for users, groups, or both (All). Click Go to start the search.
To add a user or group as an administrator, mark the check box next to the account
name, and then click the right arrow (>) to add the account to the Selected
Administrators list.
If you have Websense Web Security Gateway Anywhere, or have linked your Web and
data security software, click Notify to send an email message to each selected
administrator with instructions for accessing the Web Security and Data Security
modules of the TRITON Unified Security Center. Customize email message content
on the Settings > General > Linking page (see Link your Web and data security
software, page 192).
To delete a user from the Selected Administrator’s list, mark the check box next to the
account name, and then click Remove.
When you are done selecting administrator accounts, click OK to cache your changes
and return to the Manage Administrator Accounts page. Changes are not implemented
until you click Save All.
You must add the account to a role as an administrator in order to enable the user to
log on to TRITON - Web Security. See Using delegated administration, page 286, for
information about creating and editing roles.
Related topics:
Enabling access to TRITON - Web Security, page 281
Add Websense user accounts, page 285
Using delegated administration, page 286
45
TRITON - Web Security Help
285
Delegated Administration
Add Websense user accounts
Use the Delegated Administration > Manage Administrator Accounts > Add
Websense User page to add Websense user accounts.
1. Enter a unique User name, up to 50 characters.
The name must be between 1 and 50 characters long, and cannot include any
of the following characters:
* < > ' { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,
User names can include spaces and dashes.
The name “websense” is reserved, and cannot be added as a delegated
administrator account.
2. Enter and confirm a Password (4-255 characters) for this user.
Strong passwords are recommended: 8 characters or longer, including at least one
each of the following:
uppercase letter
lowercase letter
number
special character (such as hyphen, underscore, or blank)
3. To require the administrator to change the account password the first time he or
she logs on to TRITON - Web Security, click Prompt for new password.
4. If you have Websense Web Security Gateway Anywhere, or have linked your Web
and data security software, optionally mark Send email notification to send
account information and access instructions to the new administrator via email.
You can customize the contents of the email message on the Settings > General >
Linking page (see Link your Web and data security software, page 192).
5. When you are finished making changes, click OK to cache the changes and return
to the Manage Administrator Accounts page. Changes are not implemented until
you click Save All.
Related topics:
Enabling access to TRITON - Web Security, page 281
Add network accounts, page 284
Using delegated administration, page 286
51
Delegated Administration
286
Websense Web Security and Websense Web Filter
Using delegated administration
The Policy Management > Delegated Administration page offers different options,
depending on whether it is viewed by a Super Administrator or a delegated
administrator.
Super Administrators see a list of all the roles currently defined, and have the
following options available.
Related topics:
Introducing administrative roles, page 268
Managing role conflicts, page 293
Option
Description
Add
Click to add a new role. See Adding roles, page 287.
Role
Click to view or configure the role. See Editing roles, page
288.
Delete
Click to delete any roles that are marked in the list. This
option is available to unconditional Super Administrators
only.
See Special considerations, page 294, for information about
how a role’s clients are managed after the role is deleted.
Advanced
Click to access the Manage Role Priority function.
Manage Role
Priority
Click to specify which role’s policy settings are used when
the same client exists in multiple groups that are managed by
different roles. See Managing role conflicts, page 293.
Manage
Administrator
Accounts
Click to manage the administrator accounts (Websense user
accounts and network accounts) used to access
TRITON -
Web Security. See Enabling access to TRITON- Web
Security, page 281.
Manage Custom
LDAP Groups
Click to add, edit, and delete custom LDAP groups, which
can be assigned as managed clients in delegated
administration roles. See Working with custom LDAP
groups, page 67.
This option is not available if the configured directory
service is Windows NT/Active Directory (Mixed Mode).
45
TRITON - Web Security Help
287
Delegated Administration
Delegated administrators see only the roles in which they are administrators, and have
access to more limited options.
Adding roles
Use the Delegated Administration > Add Role page to provide a name and
description for the new role.
1. Enter a Name for the new role.
The name must be between 1 and 50 characters long, and cannot include any of
the following characters:
* < > ' { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,
Role names can include spaces and dashes.
2. Enter a Description for the new role.
The description may be up to 255 characters. The character restrictions that apply
to role names also apply to descriptions, with 2 exceptions: descriptions can
include periods (.) and commas (,).
3. Click OK to display the Edit Role page and define the characteristics of this role.
See Editing roles, page 288.
The new role is added to the Role drop-down list in the banner the next time you
log on to TRITON - Web Security.
Option
Description
Role
Click to view the clients assigned to the role, and the specific
reporting permissions granted. See Editing roles, page 288.
Manage
Administrator
Accounts
Click to change your
TRITON -
Web Security password or
view your assigned roles. See Enabling access to TRITON-
Web Security, page 281.
Related topics:
Editing roles, page 288
Special considerations, page 294
Important
When you add a delegated administration role, the current
Default category and protocol filters from the Super
Administrator role are copied to the new role, and a
Default policy that enforces those copied filters is created.
46
Delegated Administration
288
Websense Web Security and Websense Web Filter
Editing roles
Delegated administrators can use the Delegated Administration > Edit Role page to
view the list of clients managed by their role, and the specific reporting permissions
granted.
Super Administrators can use this page to select the administrators and clients for a
role, and to set administrator permissions, as described below. Only unconditional
Super Administrators can delete administrators and clients from a role.
1. Change the role Name and Description, as needed.
2. Add and delete administrators for this role (Super Administrators only).
Related topics:
Using delegated administration, page 286
Adding roles, page 287
Managing role conflicts, page 293
Note
The name of the Super Administrator role cannot be
changed.
Item
Description
User Name
Administrator’s user name.
Account Type
Indicates whether the user is defined in the network directory
service (Directory) or as a Websense user account
(Websense).
Reporting
Mark this check box to give the administrator permission to
use reporting tools.
Policy
Mark this check box to give the administrator permission to
create filters and policies, and apply policies to the role’s
managed clients.
In the Super Administrator role, administrators with policy
permission can also manage certain Websense configuration
settings. See Super Administrators, page 269.
Unconditional Available only for the Super Administrator role, mark this
check box to give the administrator permissions to manage
all Websense configuration settings, and the Filter Lock.
Only unconditional Super Administrators can grant
unconditional permissions to a new administrator.
55
TRITON - Web Security Help
289
Delegated Administration
3. Add and delete Managed Clients for the role.
Changes can be made by Super Administrators only. Delegated administrators can
view the clients assigned to their role.
4. Use the Reporting Permissions area to select the features available to
administrators in this role who have reporting access.
a. Choose the general level of reporting permissions:
Add
Opens the Add Administrators page. See Adding
Administrators, page 291.
Delete
Removes from the role any administrators marked in the
Administrators list. (Available to unconditional Super
Administrators only.)
Item
Description
<Name>
Displays the name of each client explicitly assigned to the
role. Administrators in the role must add the clients to the
Clients page before policies can be applied. See Delegated
administrator tasks, page 276.
Add
Opens the Add Managed Clients page. See Adding
managed clients, page 292.
Delete
Available to unconditional Super Administrators only, this
button removes from the role any clients marked in the
managed clients list.
Some clients cannot be deleted directly from the managed
clients list. See Special considerations, page 294, for more
information.
Option
Description
Report on all clients
Select this option to give administrators permission
to generate reports on all network users.
Use the remaining options in the Reporting
Permissions area to set the specific permissions for
administrators in this role.
Report on managed
clients only
Select this option to limit administrators to
reporting on the managed clients assigned to this
role. Then, select the investigative reports features
these administrators can access.
Administrators limited to reporting on managed
clients only cannot access presentation reports or
user-based reports on the Today and History pages.
They are also prevented from managing Log
Database settings.
Item
Description
64
Delegated Administration
290
Websense Web Security and Websense Web Filter
b. Mark the check box for each reporting feature that appropriate administrators
in the role are permitted to use.
5. When you are finished making changes, click OK to cache the changes and return
to the Delegated Administration page. Changes are not implemented until you
click Save All.
Option
Description
Access presentation
reports
Enables access to presentation reports features.
This option is available only when administrators
can report on all clients. See Presentation reports,
page 99.
View reports on Today
and History pages
Enables display of charts showing Internet activity
on these pages. See Today: Health, Security, and
Value Since Midnight, page 22 and History: Last 30
Days, page 25.
If this option is deselected, administrators can view
only the Health Alert and Value areas of the Today
page, and the Value Estimates on the History page.
Access investigative
reports
Enables access to basic investigative reports
features. When this option is selected, additional
investigative reports features can be selected, also.
See Investigative reports, page 118.
View user names in
investigative reports
Enables administrators in this role to view user
names, if they are logged. See Configuring
Filtering Service for logging, page 337.
Deselect this option to show only system-generated
identification codes, instead of names.
This option is available only when administrators
are granted access to investigative reports.
Save investigative
reports as favorites
Enables administrators in this role to create favorite
investigative reports. See Favorite investigative
reports, page 135.
This option is available only when administrators
are granted access to investigative reports.
Schedule investigative
reports
Enables administrators in this role to schedule
investigative reports to run at a future time or on a
repeating cycle.
See Scheduling investigative reports, page 138.
This option is available only when administrators
are granted permissions to save investigative
reports as favorites.
Manage the Log
Database
Enables administrators to access the Settings > Log
Database page. See Log Database administration
settings, page 344.
This option is available only when administrators
can report on all clients.
Documents you may be interested
Documents you may be interested
