Policy Groups are the organisational containers that pair your client groups with specialised sets of web access rules (Policy Sets).
Your current Policy Groups can be viewed on the Dashboard or in the Policy Groups section itself, accessible from the main navigation menu.
Before proceeding to configure Policy Groups you should ensure that you have client groups available to add as members of your Policy Groups. Client groups refer to either:
IMPORTANT: Out-of-the-box, LiveStream 5 includes a single Policy Group called Everyone which contains single Device Group member called Possible Internal Networks. This built-in Policy Group includes a Policy Set named Admin Policy which, by default, does not apply filtering rules.
This is purely a means for new installations to be functional web filters as soon as the networking is configured. Once you are ready to configure your own Policy Groups, the built-in defaults should be discarded.
When establishing your Policy Groups the primary considerations should be:
For a smaller school, intending to apply a uniform policy to all students, the Policy Groups might look like:
With your desired structure in mind, navigate to the Policy Groups index (pitcured above) from the primary navigation menu.
Click New Group.
In the dialogue, enter a pertinent(see above), unique name for this Policy Group.
Choose one of your existing Policy Sets to be the default level of access for for this Policy Group. Don't worry, this is just the base level required to create the Policy Group—the Policy Set can be changed later.
Click the Create button.
Your new group will appear at the bottom of the Policy Group listing. You may now click on its title to enter its management page.
ProTip: If this is a new installation, you might like to repeat these steps and create all of your Policy Groups before configuring the members and Policy Sets for each one.
Just as user groups have users as members, Policy Groups have user groups and device groups as their members.
To get started select the Policy Group you want to manage from the Policy Groups index page (pictured above) or by clicking the appropriate user groups link from the Dashboard.
The left-hand column lists the client groups which are currently available; either loaded from your directory service or created locally in LiveStream.
Once a client group has been successfully added it will appear in the right-hand column.
If you activated a user group from your directory service for the first time, it may take up to 5 minutes to synchronise all the relevant user details via LDAP.
Removing a client group uses much the same procedure as adding one: select the group you wish to remove from the right-hand column and click the Deactivate button.
If a particular user is a member of two or more user groups, each of which are members of separate Policy Groups then which one should determine their web access? Whichever one has the highest priority.
All of your Policy Groups are organised in a hierarchy according to their priority. This is needed in order to resolve conflicts stemming from multiple directory group memberships.
You can view, increase and decrease the current priority of your Policy Groups from the index page (pictured above). Each Policy Group is numbered with (1) as the highest priority. This priority can be altered using the Change Priority up and down buttons.
ProTip: Each new Policy Group is initially given the lowest priority. So after you create one take the opportunity to increase its priority the appropriate amount relative to the others.
Admistrators must be placed higher in the hierarchy than Staff to ensure that Mr. Goodman receives the web access privileges of being an administrator.
Each Policy Group must have a default set of rules to determine their members' base level of web access. These rule sets are maintained in separate management objects called Policy Sets, allowing them to be "portable" between Policy Groups.
Policy Sets are accessed from the Access tab inside each Policy Group.
We'll cover them in detail in the following sections.
Sometimes it's not convenient for Staff members to wait for the LiveStream 5 administrator to unblock a denied URL. This is particularly true of learning situations where a student may require access to a resource that's denied by their policy in order progress with that day's lesson.
Supervisor Bypass allows the administrator to delegate the authority to unblock URLs to the staff members that are "on the ground", or in the classroom. For example, by granting supervisor authority to the teachers within a school they gain the ability to override blocked URLs for any other user (such as students in their classes), as long as that URL is not blocked by their own policy.
The following measures are in place to prevent abuse of Supervisor Bypass authority:
Supervisor authority is granted from the Access tab of each Policy Group. Check the box labelled "Grant supervisor bypass authority to ..." and click Done.
Once at least one Policy Group has supervisor authority, a Bypass link will be presented in the footer of every deny page. Users can call a supervisor over to their device and request that they unblock the URL for them.
If the supervisor deems the URL appropriate for the user they:
The afore-denied URL will now be automatically loaded in the browser window and be available for the rest of the day.
ProTip! The LiveStream 5 administrator can periodically review bypass events using the audit log and choose whether to make the temporary rules permanent so that supervisors don't have add the same bypass in future.