Articles in this section

See more

Setup Guide: Delegated Administration for Umbrella

Avatar
Matt Prytuluk
  • Updated
Follow

Delegated administration is a feature to help manage access to only certain parts of the Umbrella dashboard; effectively managing roles around access to the dashboard as determined by the needs of your organization and levels of access required to the dashboard. 

 

Setting up Delegated Administration

 

 

There's just two simple steps to setting up your delegated administration, first selecting the appropriate default role or creating a new role, and then second assigning that role to a user.  Delegated Administration can be found in the dashboard under Settings > Delegated Administration.

 

Step 1: Select a default role or create a new role

 

 

By default, there are four Roles now available:

four-roles.png

  • Full Admin - access to everything in the Umbrella, including the ability to create and assign new roles
  • BPB User - a user to be used by normal users when needing to bypass a page. For more information on that, click here. 
  • Reporting Only user - a user that only has the ability to view and run reports. For more information on that, click here.
  • Read Only user - a user that only has the ability to view the layout of the Dashboard but not make changes. This user can also view all reports for all other users.

In order to take advantage of delegated administration, create a unique role for the administrative user.  

Under Settings > Delegated Administration, click the 'add' button (the + symbol):

Screen_Shot_2017-03-28_at_5.14.10_PM.png

Then give the role a descriptive name:

Screen_Shot_2017-03-28_at_5.15.04_PM.png

Next, you'll need to pick the parts of the dashboard you'd like to give the new role access to manage.   There are two main sections:  Policies and Reports.

Screen_Shot_2017-03-29_at_2.08.04_PM.png

Policies are broken into three management sub-roles:  

  1. Identities
  2. Policy Settings
    1. Domain Lists
  3. Block Page Settings   

Within Policy Settings, there is a sub-policy setting to manage just domain lists.  

  • Reports is the management of all of the features under the Reporting section of the dashboard. This gives the role the ability to create new reports, run any bookmarked reports and export reports.   However, if selected on its own, no other part of the Dashboard will be available. This role is ideal for employees in management positions or other departments looking for specific information. 
  • Policies is the management of all the identities, policy settings and block page settings as above, but also includes the ability to add, delete and modify policies, and apply those policies to identities. A role that manages policies is ideal for a senior helpdesk administrator responsible for deploying and managing the Umbrella policy day to day on the network. However, this limited role is restricted from managing other Users within the dashboard, adding or modifying Roles or any of the other features under System Settings in the dashboard. 

If you select the top-level check-box for Policies, this will include all of the sub-roles. If you drill down on the Policies link, you can select specific sub-roles.

Within Policies: there are three sub-role settings:

Screen_Shot_2017-03-29_at_2.10.21_PM.png

 

Identities is the management of all of identities, such as Roaming Computers, Networks, Mobile and Internal Networks, listed under Identities on the left -hand menu pane in the dashboard. This gives the role the ability to modify, rename or delete these identities, as well as create new identities. However, if selected on its own, this role cannot assign policy to a newly created identity. This sub-role is ideal for provisioning new devices under Umbrella as part of initially bringing computers online to your network. 

Policy Settings role is the management of all of the settings under Policy Settings on the left -hand menu pane in the dashboard. This gives the role the ability to modify, rename or delete Content Settings, Security Settings and Domain Lists. However, if selected on its own, this role cannot change the assignment of these policy settings to additional identities. This sub-role is ideal for updating a global allow or global block list, or for changing security settings on the fly for unexpected requests to the helpdesk.  Under Policy Settings, there's just one more setting: the Domain List role. 

The Domain List role gives the ability to add or delete domains in a Domain List that already exists.  You can have a role manage multiple domain lists. Typically, this role would be given to a helpdesk user that may need to give temporary access to a single domain during times when the traditional administrators of Umbrella may not be available.  It could also be given to a security officer to block individual domains in cases where there has been a targeted attack or breach. 

Block Page Settings role is the management of all of the settings under Block Page Settings on left -hand menu pane in the dashboard.  This gives the role the ability to change the block page appearance, add,  modify or delete a block page user or add, modify or delete a block page bypass code.  However, if selected on its own, it cannot add a user account to be assigned to the block page user.  This sub-role is ideal for users updating block page bypass codes for end-users as part of a helpdesk team.

Reminder:

Applying the Domain List role to include either the Global Allow List or the Global Block List will enable this role to allow or block a domain for the entire Organization.

 
Once you've assigned the appropriate permissions to the role you'd like to create, you can add a user to the role.
 

Note:

If a role can provision identities, but not manage policies, please ensure that your "catch-all" policies are ordered correctly according to the policy execution arrow (which points downward in the policy section). For instance, if a user with the Identities role only provisioned a new roaming computer, that roaming computer would receive the Default Policy unless All Roaming Clients was selected for a policy higher up the hierarchy.

 

 

Step 2: Assign your role to a user

 

 

Step 2a. Create a new user if needed

If your delegated administrator does not yet have an account created to login to the Umbrella dashboard, you must create one under System Settings > Accounts. During the account creation, you'll have an opportunity to assign the role to your user.

Step 2b. Assign the new role to a user

This step is simple: you should see your newly created role as one of the options when dropping down the menu for Choose Role.  

Step 2c. Assigning the user a password

An important note is that the user themselves will not have access to the Accounts section to modify their own information, such as password. The password assigned during this stage should not be temporary as the Delegated Admin user will not be able to change it later. 

Step 2d. When the Delegated Admin User logs in

Once you've configured the user to a delegated admin user, their dashboard will be automatically limited to only the elements they've been assigned.  This can mean their dashboard is a little looking than what you may be used to, but the won't know that parts of the dashboard even exist because they're not greyed out, instead, they're simply not present.

 

Related articles

Comments

0 comments

Article is closed for comments.