Permission Description
Group Manager A sysop must have access to the Group Manager for groups to which
the sysop is assigned.
Add Groups This permission allows sysops to create groups.
Delete Groups This allows the sysop to delete groups. Sysops can only delete groups
assigned to them.
Modify Group
Description This permission allows sysops to change the group‘s description, a brief description of the group to help users identify groups more easily.
Append
Organization to Group
This permission will automatically append the organization name entered when the sysop is created to every new group the sysop creates.
Clone Groups Access to this permission allows a sysop to create a copy of an existing
group, including all policies, by clicking Clone Group on the Group Manager page. Since clients can only belong to one group, clients are not copied to a cloned group.
Policy Manager Access to this permission is not required to modify policies, as they
can also be accessed from their respective groups.
Add Group Policies Policies define the filtering rules assigned to each group. A group can
have a single policy that runs continuously or have two or more that run at different times. The Add Group Policies permission allows
sysops to create new policies for the groups assigned to them.
Delete Group
Policies Sysops can delete policies with this permission enabled. sysops can only delete policies from groups assigned to them.
Modify Group
Policies When access to this permission is selected, a sysop can modify the categories that a policy allows or blocks. When the policy is in black-
list mode, all selected categories are blocked. In white-list mode, all
selected categories are allowed and everything else is blocked. The default mode for new policies is black list.
If you want to allow a sysop to choose whether a policy is filtered in black list or white list mode, give the sysop access to the Modify Group Policy Default Status permission.
Modify Group Policy
Global URL List In the Policy settings, a sysop can enable or disable the Global Allow and Deny lists for his or her groups. However, the sysop cannot add or
delete URLs from Global URL lists unless given access to the Global URL List permission.
Permission Description
Modify Group Policy Local URL/Keyword List
When selected, this permission allows sysops to add or delete URLs or keywords from the Local URL/Keyword Lists for their groups.
Modify Group Policy Default Status
Access to this permission allows a sysop to choose whether a group is filtered in black list or white list mode.
Append
Organization to Time Policies
This permission will automatically append the Organization entered when the sysop is created to any new policy that the sysop creates.
Modify Account Group Memberships
This permission allows a sysop to view and delete user accounts that are assigned to any of the sysop‘s groups. If the sysop is given the Account Management permission, then the sysop can create his/her own users and assign them to groups.
Quick Policy
Management If a sysop is assigned to ONLY one group, which has the same name as his/her account name, a new Settings menu will appear. The menu
allows the sysop to make changes to the group‘s blocked categories, and to the Allow and Deny Lists for a policy. This occurs when the box Create account group policy is selected when creating the sysop.
Add Clients A client contains information that points toward the identity or location
of an end user. Access to the Add Clients permission allows sysops to create clients within a group. The sysop can create a client based on client name, password, IP address, or network subnet, depending on what additional permissions are given.
Sysops must have at least one of the following additional permissions
selected for the Add Clients permission to work: Allow Client Name-Based Clients
Allow Password-Based Clients Allow Workstation-Based Clients Allow Network-Based Clients
Delete Clients With this permission selected, sysops can delete clients from the
groups they administer. Sysops do not have access to clients outside their groups.
Modify Clients With access to the Modify Clients permission, sysops can modify the
settings for any client assigned to one of their groups. They can move the client to a different group and select how the client is identified by the Policy Server (by client name, password, or IP address/range). To change how the client is identified by the Policy Server, the sysop must have access to the permission for the client-creation method they want to select – that is:
Allow Client Name-Based Clients Allow Password-Based Clients Allow Workstation-Based Clients Allow Network-Based Clients
Permission Description
Allow Client
Category Selection Access to this permission is generally not recommended for either sysops or admins. It allows sysops to add categories for each client in
addition to the categories selected for their policy. However, doing so can cause problems if a policy‘s time segments change between black
list and white list mode. We recommend that the admin or sysop
creates a new group and policy for that client.
Allow Client Name-
Based Clients This permission allows sysops to manage users authenticated based on their client name. If the sysop will be managing clients authenticated
based on their client name, then they should have access to this permission. Also select Add Clients, Delete Clients, and Modify Clients if you are granting a sysop access to this permission.
Allow Password-
Based Clients This permission allows sysops to manage users authenticated based on password. If the sysop will be managing clients authenticated based
on password, they should have this permission selected. The main exception is with the Client Filter Residential Edition. Sysops do not need to manage clients for deployments of the Client Filter Residential Edition, since this is done by the Profile Manager for the account – usually a parent, in the case of a family account. Also select the Add Clients, Delete Clients, and Modify Clients permissions if granting access to this permission.
Allow Workstation Based Clients
Most network based deployments use either workstation-based clients and/or network-based clients. Workstation-based clients use the IP address of the workstation to authenticate. If the sysop will manage such users, select this permission. If users in an entire range or subnet of IP address are assigned to a single filtering policy, then enable access to the Allow Network-Based Clients permission. You should also select the Add Clients, Delete Clients, and Modify Clients permissions.
Allow Network
Based Clients Network-based clients are similar to workstation-based clients except that a client can be assigned as an entire range of IP addresses or a
network subnet. Select access to the Add Clients, Delete Clients, and Modify Clients permissions if you are enabling this permission.
Add Time Segments This permission allows sysops to create new time segments. Time
segments allow you to activate different filtering policies for a group at different times. Therefore, enable the Add Time Segments
permission only if you enable the Add Group Policies permission, since time segments are only useful when a group has multiple filtering polices.
The sysop can define the time segment's start and end times when creating a time segment. However, the sysop cannot change the start or end times of the time segment unless you enable access to either the Modify Time Segments or the Delete Time Segments
permission. Sysops do not need to add, delete, or modify time segments for Client Filter Residential Edition users as they are automatically created or managed by the home user.
Delete Time
Permission Description
Modify Time
Segments Access to this permission allows sysops to change the start and end time of time segments for their assigned groups‘ policies.
Specify Deny Pages This permission allows sysops to choose which Deny Page displays for
each of their groups. Sysops can assign the Global Deny Page, which is the default setting for all groups; a Custom Deny Page, which can be created and edited by the sysop; or Log Only, which means no websites are ever blocked but the activity is recorded and can be viewed using the Reporter.
Apply Settings
Access After any of the settings in a group or policy are modified, sysops and admins should always Apply Settings to ensure that the settings take
effect. Enable this permission if you are allowing your sysops to change any group, policy, or client settings. Alternatively, any admin or sysop can select Apply Settings, and it will apply any changes made to the Policy Server by anyone. This permission also adds a shortcut to Apply Settings at the top of the WebAdmin screen.
Change Password
Access This permission determines whether the sysop can change the password for WebAdmin accounts they have created. This permission
does not affect the client filter password. The sysop must have the Client Filter Management permission enabled to change a client Filter password.
Change WebAdmin
Theme The Change WebAdmin Theme permission allows sysops to change their own Account theme. Changing the Account theme simply
changes the appearance of the web interface and does not provide any additional functionality or affect any other users. sysops can not
change the Global WebAdmin Theme.
Allow Remote Admin Remote Admin is an interface used to test the Netsweeper Policy
Servers. With this permission, sysops can access the Remote Admin commands listed below. They will also have access to the Test Deny Pages tool. It is not recommended to enable this permission as it allows a sysop some admin level permissions.
Table 17 Functions of the Remote Admin Tool that can be performed by a sysop
Function Description
Query NSP Version Displays the version of the Netsweeper that is currently installed.
Group Lookup Find information related to the active group of the entered IP
address.
Rotate Log Files Saves current log and starts a new one.
URL Lookup Details the category assignments and Time To Live (TTL) of a
particular URL.
URL Lookup (Cache
Disabled) Similar to URL Lookup but does not utilize the Cache. The Lookup will proceed as if the URL was not found in the Cache. Details the
category assignment and Time To Live (TTL) of a particular URL.
Function Description
Cache URL Lookup Performs a direct Cache URL Lookup. This will only search the Cache
for the URL.
URL Lookup Default
Group Returns the URL that is either denied or allowed as defined by the default group.
URL Lookup Details Returns the URL that is either denied or allowed as defined by the
default group, the Policy Server that categorizes the URL, and the category number for the URL.
Toggle Remote
Logging Allows enabling or disabling of Remote Logging
Reload TLD List Reloads the top level domain list.
Reload Master List Reloads the Master List of URLs for your Policy Server.
Reset URL Resets a particular URL to its default characteristics.
Assign IP to Group This feature provides a means to assign a specific IP address to a
particular group.
Disable Filtering Effectively disables filtering of a chosen URL on a particular IP
address for a specified length of time.
Reactivate Filtering Removes the effects of "Disable Filtering" and reactivates filtering on
an IP address.
Flush NSLAM Users Flush all dynamic group assignments to disk.
Disable Category
Filtering Disable filtering for specific categories for a user for a specific period time.
Signal Dynamic Client
Reload Save dynamically added clients to disk.
Allow WebAdmin
Notification This permission allows a sysop to sign up for WebAdmin Notification. Sysops will then receive an email anytime activity occurs in the
WebAdmin that is based on their administration level, and the users assigned to them.
Allow WebAdmin Log Access
Each action taken by an account user in the WebAdmin is stored in the WebAdmin Log. A sysop, who is given this permission, will be able to view the actions performed in the WebAdmin by
himself/herself and any of his/her accounts.
Allow Alert Log Access The URL Alerts log stores each URL that has been entered as a URL
Alert. A sysop with this permission will be able to see all the URLs that have been sent to Netsweeper as URL Alerts.
Account Management Using the Account Manager, sysops can create, delete, or edit user
accounts. To allow a sysop to assign Accounts to a group, you must also select the Modify Account Group Memberships permission. Enable this permission if you are using an Account-based solution, such as the Client Filter.
Function Description
Client Filter
Management With this permission, sysops can reset or remove installs once an account has reached the install limit, reset a user account password,
upload a new version of the Client Filter, or generate uninstall keys (used to uninstall the Client Filter when the password has been forgotten and the computer has no Internet connection to retrieve a new password.) With these permissions, a sysop can uninstall any Client Filter using the same Policy Server, even those outside of their group. Using this permission, a sysop could install the Client Filter on virtually an unlimited number of computers under the same account. For these reasons, we recommend that only Admin users have access to this advanced permission.
Customer
Management The Customer Manager is a tool used to view and troubleshoot account or group settings. When you select this permission, a sysop
can assume the identity of a group to test and view their settings and change the password for accounts assigned to that group.
View All User
Accounts Access to this permission allows sysops to view all the user accounts, not just those they create, as long as they also have the Account
Management permission. If they are also given the Modify Account Group Memberships permission, they can change the group
membership for any users on the system.
Demand Reports Enable access to this permission if you want a sysops to create
Demand Reports.
Scheduled Reports Enable access to this permission if you want a sysop to create
Scheduled Reports.
Continuous Reports Enable access to this permission if you want a sysops create
Continuous Reports.
Quick Reports Enable access to this permission to allow a sysop to generate Quick
Reports.
Global URL List The Global URL List permission allows sysops to add, delete, or
modify URLs from this list. To enable or disable the Global Allow and Deny Lists for groups assigned to a sysop, they must be given the Modify Group Policy Global URL List permission.
Category URL List Access to the Category URL List permission allows sysops to add,
delete, or modify URLs on the Category URL list. This list is
overridden by all the other lists because it has the same priority as the categories themselves.
System URL List Access to the System URL List permission allows sysops to add,
delete, or modify URLs from the System Allow and Deny URL lists and the System Allow and Deny Protocol lists.
Deny Page URL List Access to the Global URL List permission allows sysops to add,
delete, or modify URLs on this list.
URL Alert Access to this permission allows a sysopsto ask Netsweeper for a
human review of the categories assigned to a URL by Netsweeper‘s Artificial Intelligence engine.
Function Description
Groups/Policies Web
Proxy Access to the Groups/Policies Web Proxy permission allows sysops to test their groups and policies. Instructions on using the Web Proxy
tool are available from the support site, at
http://support.netsweeper.com.