Delegated administration is a feature to help manage access to only certain parts of the Umbrella dashboard; effectively managing roles around access to the dashboard as determined by the needs of your organization and levels of access required to the dashboard.
Setting up Delegated Administration
There's just two simple steps to setting up your delegated administration, first selecting the appropriate default role or creating a new role, and then second assigning that role to a user. Delegated Administration can be found in the dashboard under Settings > Delegated Administration.
Step 1: Select a default role or create a new role
By default, there are four Roles now available:
- Full Admin - access to everything in the Umbrella, including the ability to create and assign new roles
- BPB User - a user to be used by normal users when needing to bypass a page. For more information on that, click here.
- Reporting Only user - a user that only has the ability to view and run reports. For more information on that, click here.
- Read Only user - a user that only has the ability to view the layout of the Dashboard but not make changes. This user can also view all reports for all other users.
In order to take advantage of delegated administration, create a unique role for the administrative user.
Under Settings > Delegated Administration, click the 'add' button (the + symbol):
Then give the role a descriptive name:
Next, you'll need to pick the parts of the dashboard you'd like to give the new role access to manage. There are two main sections: Policies and Reports.
Policies are broken into three management sub-roles:
- Policy Settings
- Domain Lists
- Block Page Settings
Within Policy Settings, there is a sub-policy setting to manage just domain lists.
- Reports is the management of all of the features under the Reporting section of the dashboard. This gives the role the ability to create new reports, run any bookmarked reports and export reports. However, if selected on its own, no other part of the Dashboard will be available. This role is ideal for employees in management positions or other departments looking for specific information.
- Policies is the management of all the identities, policy settings and block page settings as above, but also includes the ability to add, delete and modify policies, and apply those policies to identities. A role that manages policies is ideal for a senior helpdesk administrator responsible for deploying and managing the Umbrella policy day to day on the network. However, this limited role is restricted from managing other Users within the dashboard, adding or modifying Roles or any of the other features under System Settings in the dashboard.
If you select the top-level check-box for Policies, this will include all of the sub-roles. If you drill down on the Policies link, you can select specific sub-roles.
Within Policies: there are three sub-role settings:
Identities is the management of all of identities, such as Roaming Computers, Networks, Mobile and Internal Networks, listed under Identities on the left -hand menu pane in the dashboard. This gives the role the ability to modify, rename or delete these identities, as well as create new identities. However, if selected on its own, this role cannot assign policy to a newly created identity. This sub-role is ideal for provisioning new devices under Umbrella as part of initially bringing computers online to your network.
Policy Settings role is the management of all of the settings under Policy Settings on the left -hand menu pane in the dashboard. This gives the role the ability to modify, rename or delete Content Settings, Security Settings and Domain Lists. However, if selected on its own, this role cannot change the assignment of these policy settings to additional identities. This sub-role is ideal for updating a global allow or global block list, or for changing security settings on the fly for unexpected requests to the helpdesk. Under Policy Settings, there's just one more setting: the Domain List role.
The Domain List role gives the ability to add or delete domains in a Domain List that already exists. You can have a role manage multiple domain lists. Typically, this role would be given to a helpdesk user that may need to give temporary access to a single domain during times when the traditional administrators of Umbrella may not be available. It could also be given to a security officer to block individual domains in cases where there has been a targeted attack or breach.
Block Page Settings role is the management of all of the settings under Block Page Settings on left -hand menu pane in the dashboard. This gives the role the ability to change the block page appearance, add, modify or delete a block page user or add, modify or delete a block page bypass code. However, if selected on its own, it cannot add a user account to be assigned to the block page user. This sub-role is ideal for users updating block page bypass codes for end-users as part of a helpdesk team.
Step 2: Assign your role to a user
Step 2a. Create a new user if needed
If your delegated administrator does not yet have an account created to login to the Umbrella dashboard, you must create one under System Settings > Accounts. During the account creation, you'll have an opportunity to assign the role to your user.
Step 2b. Assign the new role to a user
This step is simple: you should see your newly created role as one of the options when dropping down the menu for Choose Role.
Step 2c. Assigning the user a password
An important note is that the user themselves will not have access to the Accounts section to modify their own information, such as password. The password assigned during this stage should not be temporary as the Delegated Admin user will not be able to change it later.
Step 2d. When the Delegated Admin User logs in
Once you've configured the user to a delegated admin user, their dashboard will be automatically limited to only the elements they've been assigned. This can mean their dashboard is a little looking than what you may be used to, but the won't know that parts of the dashboard even exist because they're not greyed out, instead, they're simply not present.