LiveStream 5 Administration Guide

Managing Policy Groups

Policy Groups are the organisational containers that pair your client groups with specialised sets of web access rules (Policy Sets).

Your current Policy Groups can be viewed on the Dashboard or in the Policy Groups section itself, accessible from the main navigation menu.

Screen

Before proceeding to configure Policy Groups you should ensure that you have client groups available to add as members of your Policy Groups. Client groups refer to either:

  • Device Groups which define individuals by their device's network details e.g. IP address, range, subnet or MAC address.
  • User Groups which define individuals by their user authentication credentials loaded from an external directory service.

IMPORTANT: Out-of-the-box, LiveStream 5 includes a single Policy Group called Everyone which contains single Device Group member called Possible Internal Networks. This built-in Policy Group includes a Policy Set named Admin Policy which, by default, does not apply filtering rules.

This is purely a means for new installations to be functional web filters as soon as the networking is configured. Once you are ready to configure your own Policy Groups, the built-in defaults should be discarded.


Creating Policy Groups

When establishing your Policy Groups the primary considerations should be:

  • What are the different kinds of people using your internet facilities?
  • What level of web access should each kind of person receive?
    • Should different types of staff have different rules?
    • Should different year levels of student have different rules?
    • Are there particular clubs or classes that may require more or less lenient rules?

Every user and device must match a Policy Group, implied by their user or device group, in order to be granted web access.

For a smaller school, intending to apply a uniform policy to all students, the Policy Groups might look like:

  • Students
  • Staff
  • Administrators
  • BYO Devices
  • Library Kiosks
  • Guests

With your desired structure in mind, navigate to the Policy Groups index (pitcured above) from the primary navigation menu.

  1. Click New Group.

  2. In the dialogue, enter a pertinent(see above), unique name for this Policy Group.

  3. Choose one of your existing Policy Sets to be the default level of access for for this Policy Group. Don't worry, this is just the base level required to create the Policy Group—the Policy Set can be changed later.

  4. Click the Create button.

Your new group will appear at the bottom of the Policy Group listing. You may now click on its title to enter its management page.

ProTip: If this is a new installation, you might like to repeat these steps and create all of your Policy Groups before configuring the members and Policy Sets for each one.

Managing Members

Just as user groups have users as members, Policy Groups have user groups and device groups as their members.

Adding members

  1. To get started select the Policy Group you want to manage from the Policy Groups index page (pictured above) or by clicking the appropriate user groups link from the Dashboard.

  2. In the Policy Group edit page, make sure you have the Members tab selected. Note the name of the Policy Group you're editing is always visible in the page header.

  3. The left-hand column lists the client groups which are currently available; either loaded from your directory service or created locally in LiveStream.

    IMPORTANT: A client group can only be a member of one Policy Group at a time. Client groups that are already a member of a different Policy Group will be marked accordingly.

  4. Select a user group or device group you wish to associate with this Policy Group and then click the Activate button.

Once a client group has been successfully added it will appear in the right-hand column.

If you activated a user group from your directory service for the first time, it may take up to 5 minutes to synchronise all the relevant user details via LDAP.

Removing members

Removing a client group uses much the same procedure as adding one: select the group you wish to remove from the right-hand column and click the Deactivate button.

Managing Policy Group Priorities

If a particular user is a member of two or more user groups, each of which are members of separate Policy Groups then which one should determine their web access? Whichever one has the highest priority.

All of your Policy Groups are organised in a hierarchy according to their priority. This is needed in order to resolve conflicts stemming from multiple directory group memberships.

You can view, increase and decrease the current priority of your Policy Groups from the index page (pictured above). Each Policy Group is numbered with (1) as the highest priority. This priority can be altered using the Change Priority up and down buttons.

ProTip: Each new Policy Group is initially given the lowest priority. So after you create one take the opportunity to increase its priority the appropriate amount relative to the others.

Example

Imagine Mr. Goodman, who belongs to both Domain Admins and All Staff. All Staff has been added to the Staff Policy Group and Domain Admins has been added to the Administrators Policy Group.

Admistrators must be placed higher in the hierarchy than Staff to ensure that Mr. Goodman receives the web access privileges of being an administrator.

Policy Sets

Each Policy Group must have a default set of rules to determine their members' base level of web access. These rule sets are maintained in separate management objects called Policy Sets, allowing them to be "portable" between Policy Groups.

Policy Sets are accessed from the Access tab inside each Policy Group.

We'll cover them in detail in the following sections.

Supervisor Bypass

Sometimes it's not convenient for Staff members to wait for the LiveStream 5 administrator to unblock a denied URL. This is particularly true of learning situations where a student may require access to a resource that's denied by their policy in order progress with that day's lesson.

Supervisor Bypass allows the administrator to delegate the authority to unblock URLs to the staff members that are "on the ground", or in the classroom. For example, by granting supervisor authority to the teachers within a school they gain the ability to override blocked URLs for any other user (such as students in their classes), as long as that URL is not blocked by their own policy.

The following measures are in place to prevent abuse of Supervisor Bypass authority:

  • Each bypass event gets recorded in an audit log for review by the LiveStream 5 administrator.
  • Supervisors may only unblock a URL that their own policy allows.
  • Each bypass applies to the user which received the deny page. If other users require the same resources to be unblocked, the supervisor will have have to create the bypass for each one separately.
  • Each bypass expires at the end of the day.

Audit log

Supervisor authority is granted from the Access tab of each Policy Group. Check the box labelled "Grant supervisor bypass authority to ..." and click Done.

Supervisor Bypass user deny page form

Once at least one Policy Group has supervisor authority, a Bypass link will be presented in the footer of every deny page. Users can call a supervisor over to their device and request that they unblock the URL for them.

If the supervisor deems the URL appropriate for the user they:

  1. Click the Bypass link.
  2. Input their username and password into the form.
  3. Click the Temporarily allow button.

The afore-denied URL will now be automatically loaded in the browser window and be available for the rest of the day.

ProTip! The LiveStream 5 administrator can periodically review bypass events using the audit log and choose whether to make the temporary rules permanent so that supervisors don't have add the same bypass in future.