About Groups and Users
The Groups and Users feature allows administrators to manage mail for the user community on a global, group, and user level. Administrators can apply several attributes to manage mail, including filtering mail (or not), spam policies, Digest attributes, and email encryption attributes. See About Attributes for a list of all of the attributes you can apply on a global, group, and user level. See About the End User Digest for information about Digests.
Note: If your deployment consists of more than 1000 groups, some of the management interface elements behave differently on the Groups and Users > Users page. See Adding Users and Mailing Lists and Assigning Attributes for details.
You can complete the following tasks using Groups and Users:
• Configure and populate the User Repository.
• Create Password Policies for Groups of users.
• Create import and authentication profiles.
• Assign global attributes.
• Manage groups and assign attributes.
• Manage users and assign attributes.
Envelope Splitting
Envelope splitting addresses the following cases:
• When a message is addressed to multiple recipients and some of the recipients have email filtering applied (Opt In) and some do not (Opt Out). The Filter email (Opt In/Out) attribute is on the Groups and Users >
Global > Inbound page.
• When a message is addressed to multiple recipients and the recipients have different Spam Policy attributes.
• When a message is addressed to multiple recipients and the sender of the message is on the Safe Senders list for some recipients and on the Blocked Senders list for other recipients.
• When a message is addressed to multiple recipients and they are in unique domains and belong to different Policy Routes.
The following figure illustrates an example of how mail is filtered for email addressed to multiple recipients when two users are Opt In and two users are Opt Out.
Related Topics:
For information about attributes, see About Attributes. For information about Policy Routes, see About Policy Routes and Creating and Modifying Policy Routes.
Enabling Automatic Domain Groups, User Repository, and POP Forwarder
You can enable or disable the User Repository on the Groups and Users > Settings General page. If you disable the User Repository, users will not be able to manage their End User Digests. To temporarily disable the User Repository, click the Off radio button in the Groups and User Options section on the page.
To automatically create a Domain Group for each host or domain that you add to the Appliance > Inbound Mail page, select On for the Enable Automatic Domain Group Creation parameter.
Important: Automatic domain group creation applies only to the hosts or domains that you add to the Appliance > Inbound Mail page or Appliance > Outbound Mail > Mail Routes page after you enable this feature. It does not apply to pre-existing hosts and domains for systems in a cluster, or for systems added to a cluster with pre-existing hosts and domains.
POP Forwarder
During product evaluation (and beyond), administrators can allow users to forward email from their personal POP accounts to an appliance for filtering. Once enabled, this feature can be disabled on a per-user, per-group, or globally by changing the Enable Forwarder attribute. If this feature is temporarily disabled (for example, during a product upgrade) administrators can re-enable it by selecting On for the Enable parameter under Forwarder (POP3) on the Groups and Users > Settings > General page.
Related Topics:
See Creating an Import or Authentication Profile for instructions on how to create profiles to populate the User Repository with users from a variety of data sources, and set user authentication parameters on a per-profile basis.
See Scheduling an Import Profile for information about how to automatically import users for a specific profile into the User Repository on a scheduled basis.
Configuring the Layout for the Users List and Groups List
Use the Groups and Users > Settings > Layout page to control how many entries display in the Groups and Users
> User List and the Groups and Users > Group List when you search for users, and whether or not to wrap the names in the Aliases and Group Name columns.
About Attributes
Attributes provide a method for configuring and managing End User Digests, authentication sources, branding templates, and profiles and external passwords for encryption. You can apply the attributes on a global, group, and user level.
The levels provide a hierarchy by which attributes are applied. Global attributes apply to all users. Group attributes apply to groups of users (User Groups and Domain Groups). User attributes apply to specific users. The user attributes override group attributes, and group attributes override global attributes. For example, you can enable email filtering for all individuals in an organization (global level), disable email filtering for a specific group of users in the same organization (group level), and enable email filtering for one member of the specific group (user level).
Configure global attributes on the pages under Groups and Users > Global in the navigation pane. Configure group attributes on the corresponding tabs when you add or edit a group.
See the following topics for more information about the parameters for the attributes:
Inbound Attributes Outbound Attributes Services Attributes Authentication Attributes POP3 Forwarder Attributes
Attributes are applied to End User Digest settings, spam policy selections, and enforcement of module rules.
Attributes also permit users to upload confidential information to the Document Repository, change a password, and report false negatives.
Summary:
• You can select default attributes for both groups and users.
• If you make default selections for a user, the user will inherit the attributes of the group to which he or she belongs.
• If the user belongs to more than one group, the user will inherit attributes of the group that has the higher precedence. If the user belongs to both a Domain Group and a User Group, the user will inherit the attributes of the User Group.
• If the user does not belong to a group, or the group also has default selections for its attributes, the user will inherit the selections made for global attributes.
See Adding Groups and Assigning Attributes for more information about setting group precedence. See Setting Policy Precedence for Attributes for more information on how users inherit attributes.
Inbound Attributes
This topic describes the inbound mail attributes on the Groups and Users > Global > Inbound page.
• Filter Email (Opt In/Out) - determines if recipients will have email filtered by the Proofpoint Protection Server or not. Selecting No (Opt Out) will bypass mail filtering. By default, Yes is selected for Filter Email (Opt In/Out) on a global level. If the same email message is addressed to a user with Yes selected and to a user with No selected, the envelope is split so that filtering is applied correctly or bypassed for each
recipient. See Envelope Splitting for more information.
• Spam Policy - determines how spam will be processed. Spam policies are defined by a set of rules and are listed on the Spam Detection > Policies > Policies page. You can create as many spam policies as necessary. The Proofpoint Protection Server ships with a default Global Spam Policy that is automatically applied to all users in the User Repository. You have the option to allow users to select a spam policy for themselves from the End User Digest. When you create the spam policies, you decide which spam policies you want to expose to the end users with the End User Visible attribute on the Spam Detection > Policies
> Policies page. See Creating Spam Policies and Rules in "Spam Detection Module" for more information.
• Use From/Sender Header for Safelist - if set to Yes, allows users to add senders to their Safe Senders and Blocked Senders Lists based on the sender's From header. If set to No, allows users to add senders to their Safe Senders and Blocked Senders Lists based on envelope Sender. Because some organizations have many envelope senders, adding just one of the envelope senders to either a Safe Senders List or a Blocked Senders List may not be effective. Note: If this parameter is set to Yes, users will see the sender's From header display in the End User Web Application for quarantined messages, but will not be able to search for messages by the From header - this search field will be disabled. The Proofpoint Protection Server only allows searching by envelope Sender.
Audit
Audit Messages - saves copies of messages that are filtered and delivered to the end user in the Audit folder in the Quarantine. Administrators can review the messages in the Audit folder and report false negatives to Proofpoint. (A false negative is spam incorrectly classified as not spam.) By default, No is selected on the global level.
Smart Send
Allow Smart Send - allows users to release quarantined messages, or block quarantined messages without administrator intervention. If you are licensed for Proofpoint Encryption, users can encrypt and then release quarantined messages. See About Smart Send for more information about this feature.
Outbound Attributes
The topics on this page describe the outbound mail attributes on the Groups and Users > Global > Outbound page.
Encryption
• Enable Secure Reader - Secure Reader is a browser-based application that allows users to decrypt, read, forward, and reply to encrypted messages. You can disable this feature on a global, group, or user level by selecting No for this parameter.
• Response Profile - specifies which profile to apply if you have deployed Proofpoint Encryption. See Managing Response Profiles for information on creating Response Profiles.
• External Password Policy - specifies the password policy enforced for users outside your organization in order to register with Proofpoint for encrypting and decrypting messages. See Password Policies for Groups and Users for information about creating password policies.
• Branding Template - specifies which Branding Template to apply to encrypted email. See Managing Branding Templates for information on creating Branding Templates.
• Language - specifies which language to use for the notification of a secure message. When a user receives a secure message, the Language parameter determines which language to use for the notification. After the user clicks the SecureMessageAtt.htm attachment the language for the Secure Reader interface is
determined by the locale of the browser. For example, if your browser is set to the French locale, your Secure Reader interface will display in French. If you select the Use Detected Language from Message choice, Proofpoint Encryption will detect the language of the beginning part of the content of the secure message and the secure message notification will display in that detected language. If you want to change the content of the information displayed to the user by Secure Reader, see Resources.
Regulatory Compliance
Enforce Regulatory Compliance - this attribute is available if the Regulatory Compliance Module is installed. This attribute ensures that Regulatory Compliance rules that filter email for violations of privacy-based or financial transaction regulations are enforced. Consider leaving this attribute set to Yes at the global level, and then determine on a group or user level which individuals are exempt from Regulatory Compliance rules.
Digital Assets
• Enforce Digital Assets - this attribute is available if the Digital Assets Module is installed. This attribute ensures that Digital Assets rules for filtering confidential information stored in the Document Repository are enforced. Consider leaving this attribute set to Yes at the global level, and then determine on a group or user level which users are exempt from Digital Assets rules.
• Document Creation Allowed - this attribute is available if the Digital Assets module is installed. This attribute allows specific users to upload confidential documents or information to the Document Repository using email. See Document Processor Settings in "Digital Assets Module" for information on setting up the POP3 mailbox. There may be individuals in your organization that work with highly confidential information and want to protect it from being distributed by email. Consider leaving this attribute set to No at the global level, and then determine on a group or user level which users are allowed to upload documents to the Document Repository.
Smart Send
Allow Smart Send - allows users to release quarantined messages, or block quarantined messages without administrator intervention. If you are licensed for Proofpoint Encryption, users can encrypt and then release quarantined messages. See About Smart Send for more information about this feature.
Services Attributes
The attributes on the Groups and Users > Global > Services page apply to the Digest and Web Application.
Digest
The Digest settings display if the master switch for Digest is enabled on the End User Services > Digest Settings page.
• Enable - enables the Digest feature on a global, group, or user level.
• Digest Format - provides options for delivering and managing the End User Digest. Depending upon which email clients you support, and which configuration parameters you enable, you can allow users to manage their Digests either using email or a web browser. Digests are always initially delivered to end users by email. By default HTML Only + HTTP commands is selected on the global level to allow end users to manage their Digests from a web browser.
Important: To allow users to use a web browser for management tasks, enable the following parameters:
• Enable HTTP Commands - See Web-based Command Processor in "End User Services."
• Enable User Commands and Display Web Based List Management Link - See Enabling and Providing Commands to the End Users in "End User Services."
With the exception of Text Only, the following choices for the Digest Format also offer a "Simple" HTML format for End User Digests. These Simple formats were created for email clients that do not support more
Note: Only the HTML Only + HTTP Commands option supports displaying a custom logo in the Digest.
Digest Format
option End User Digest
delivery method End User Digest
commands End User Digest
email by web browser by web browser Users typically do
not have a desktop email client installed.
HTML Only +
HTTP commands email by web browser by web browser
• Send Digest - sends a Digest to the recipients configured on the End User Services > Filters > Users tab.
Administrators can grant varying levels of Digest management to the end users. For example, users can request an updated Safe Senders and Blocked Senders List, add safe and blocked senders to their personal lists, select a spam policy, and determine if they want to receive an empty Digest. By default, Yes is
selected on the global level.
• Send Empty Digest - sends an empty Digest to the recipients configured on the End User Services >
Filters > Users page. Users may want to receive Digests even if they are empty because they can still complete email management tasks. For example, users may want to add a name to their Safe Senders or Blocked Senders List or request an updated Summary Digest. By default, No is selected on the global level.
• Audit Folder in Digest - includes the messages collected in the Quarantine Audit folder in the End User Digest. This gives users the ability to report false negatives to Proofpoint. Note, selecting Audit Folder in Digest without selecting Audit Messages is of no consequence. You have to select both parameters for the Audit Folder in Digest to have any effect. By default, No is selected on the global level.
Note: Administrators must configure other settings to enable auditing and reporting from End User Digests – see Users Reporting False Negatives and Positives in "End User Services." The Proofpoint Protection Server provides a default Spam Reporting Group, which has the Audit Messages and Audit Folder in Digest attributes set to Yes. You can immediately add users to the Spam Reporting group so they can participate in reporting false negatives. The Audit Messages and Audit Folder in Digest attributes determine whether or not end users participate in the spam auditing and reporting process.
Web Application
The Web Application setting displays if the master switch for the Web Application is enabled on the End User Services > Web Application page.
Enable - enables the Web Application feature on a global, group, or user level. See Web Application in "End User Services" for customizing the Web Application settings.
Language
Language - determines the language used for the Digest and Web Application. You can view the supported languages by expanding the menu.
Branding Template
Branding Template - defines the branding template to use for both the Digest and Web Application. See Managing Branding Templates for more information.
Authentication Attributes
The attributes on the Groups and Users > Global > Authentication page define which authentication source to use for authentication, which password policy to apply, and whether or not to allow users to change passwords.
Authentication
• Authentication Source - specifies the source to use for user authentication (user name and password).
Administrators can force user authentication for access to account management (Manage My Account link in email-based Digests), for access to the Web Application, and for Secure Reader (Proofpoint Encryption) authentication. The choices on the Authentication Source list are generated on the Groups and Users >
Import/Auth Profiles page. The No Authentication Allowed choice means the user will not be allowed to authenticate at all - for example, if an employee leaves your organization you can select this choice to "lock"
the employee out of authentication on the Proofpoint Protection Server.
• Password Policy - specifies the password policy in effect. See Password Policies for Groups and Users for information on creating password policies.
• Change Password Allowed - this attribute is available if users are authenticating with the User Repository.
This attribute allows users to change the password that the administrator assigned to them. If enabled, a Change Password link displays in the end users Manage My Account web interface. By default, Yes is selected on the global level.
The following parameters are found on the Authentication tab of the User Attributes pop-up window when you select a user name on the Groups and Users > Users page.
Password
This is the password associated with each user in the User Repository. It applies to both the Web Application and Proofpoint Encryption.
• Password and Confirm Password - if the users were imported into the User Repository, or if you manually add a user, the default password is generated by the Proofpoint Protection Server. To see the default password, go to the Groups and Users > Import/Auth Profiles page and select the PPS group. Click the Advanced tab, and find Default User Password. Users are required to change the default password the first time they log in to the Web Application or register with Proofpoint Encryption. If a user changes his or her password for the Web Application, the same password applies to Proofpoint Encryption. If a user forget his or her password, you can create a new one for the user by entering a new password into the Password
• Password and Confirm Password - if the users were imported into the User Repository, or if you manually add a user, the default password is generated by the Proofpoint Protection Server. To see the default password, go to the Groups and Users > Import/Auth Profiles page and select the PPS group. Click the Advanced tab, and find Default User Password. Users are required to change the default password the first time they log in to the Web Application or register with Proofpoint Encryption. If a user changes his or her password for the Web Application, the same password applies to Proofpoint Encryption. If a user forget his or her password, you can create a new one for the user by entering a new password into the Password