Group inheritance

The Web Gateway and UTM systems are built around a powerful hierarchical grouping mechanism, whereby users, networks and individual computers can be assigned to one or more groups, which are in turn organised as a tree. Settings, such as web or mail filtering, permissions, etc. can be set on each group and are inherited by the groups within, and the inherited settings can be overridden within descendant groups. This is a very flexible approach, allowing global configuration to be set for the root Everyone group, and then refined in the more specific groups, relaxing filters for staff or tightening them for students, for example.

When the system needs to check the configuration, it looks to see which groups apply. For example, when a user accesses a web page, the web proxy will look to see which groups the authenticated user who's making the request is a member of, and which groups contain networks to which the requesting IP address belongs; or when receiving an email from a local user, the mail server will look to see which groups the sender is a member of, and which groups contain networks to which the sending client's IP address belongs.

Consider the following common group configuration, which is based on our recommended group structure:

  • GROUP: Everyone
    • GROUP: Administrators
    • GROUP: Anonymous
    • GROUP: Networks
      • GROUP: Trusted email senders
        • NETWORK: 10.1.2.0/24
    • GROUP: Staff
    • GROUP: Students
      • GROUP: Lower school
        • GROUP: Year7
        • GROUP: Year8
        • GROUP: Year9
      • GROUP: Upper school
        • GROUP: Year10
          • USER: Alice
        • GROUP: Year11
      • GROUP: Sixth form
        • GROUP: Year12
          • USER: Bob
        • GROUP: Year13

Single Group Inheritance

When the system decides that a single group applies, the inheritance is very simple to understand. An example of this is where the user is a member of exactly one group and their IP address isn't in any defined networks. Imagine the tree of groups above, with users called Alice in Year10, and Bob in Year12 and a configuration that blocks web accesses to social networking websites for everyone except for sixth form students:

  • Web filtering of the social networking category is enabled in the Everyone group with the filter sensitivity set to 5, which will be inherited by all of the groups.
  • The Sixth form group has the social networking category's inherit checkbox unticked and disables the web filter by having its sensitivity turned right down to 0.

When Alice tries to use the web from a workstation with IP address 10.0.0.1, the proxy determines that:

  • Alice is a member of the Year10 group, and no others.
  • The Year10 branch of the tree forms this path from the root: EveryoneStudentsUpper schoolYear10.
  • The social networking filter is enabled in Everyone with a sensitivity of 5.
  • The Students group inherits the social networking filter's setting from Everyone.
  • The Upper school group inherits the social networking filter's setting from Students.
  • The Year10 group inherits the social networking filter's setting from Upper school.
  • Alice's IP address isn't within any of the defined networks.

By starting at the root Everyone group and going down the branch, group-by-group, until we find the group the user belongs to, we have determined that the social networking category is filtered with a filter sensitivity of 5 for Alice.

Inheritance graph

When Bob tries to use the web from a workstation with IP address 10.0.0.1, the proxy determines that:

  • Bob is a member of the Year12 group, and no others.
  • The Year12 branch of the tree forms this path from the root: EveryoneStudentsSixth formYear12.
  • The social networking filter is enabled in Everyone with a sensitivity of 5.
  • The Students group inherits the social networking filter's setting from Everyone.
  • The Sixth form group does not inherit the social networking filter's setting from Students, and instead disables the filter by setting the sensitivity to 0.
  • The Year12 group inherits the social networking filter's setting from Sixth form.
  • Bob's IP address isn't within any of the defined networks.

We've followed exactly the same procedure as for Alice, but this time we have determined that the social networking category is not filtered for Bob.

Inheritance graph

The user interface always shows which settings apply to each group after single group inheritance is taken into account.

Multiple Group Inheritance

Users and networks/computers can be in more than one group, so the system may determine that more than one group applies at once. Additionally, both a user, and multiple networks, may apply - consider Bob again, this time accessing the web from a workstation with IP address 10.1.2.3 - the groups that apply to this web request would be all of the groups the user Bob is in, and all the groups containing networks 10.1.2.3/32, 10.1.2.0/24, etc.

The settings for each group are resolved exactly as described above for single group inheritance. However, there are then several sets of settings, possibly conflicting with each other, that must be merged to a single unified configuration in order to be used. In order to merge the settings, they are prioritised according to how far away from the root Everyone group each was ultimately set.

Bob is in the Year12 group and the network 10.1.2.0/24 is in the Trusted email senders group. Similar to the above, there's a configuration that blocks web accesses to social networking websites for everyone except for sixth form students. Everyone is allowed to relay email to external domains, and the Trusted email senders group is set to bypass all email restrictions:

  • Web filtering of the social networking category is enabled in the Everyone group with the filter sensitivity set to 5, which will be inherited by all of the groups.
  • The Sixth form group has the social networking category's inherit checkbox unticked and disables the web filter by having its sensitivity turned right down to 0.
  • The Email clients can relay to external domains mail server permission is ticked in the Everyone group.
  • The Bypass all mail restrictions mail server permission is not ticked in the Everyone group.
  • The Bypass all mail restrictions mail server permission is ticked in the Trusted email senders group.

When Bob tries to use the web from a workstation with IP address 10.1.2.1, the proxy determines that:

  • Bob is a member of the Year12 group, and no others.
  • The Year12 branch of the tree forms this path from the root: EveryoneStudentsSixth formYear12.
  • The social networking filter is enabled in Everyone with a sensitivity of 5.
  • The Students group inherits the social networking filter's setting from Everyone.
  • The Sixth form group does not inherit the social networking filter's setting from Students, and instead disables the filter by setting the sensitivity to 0.
  • The Year12 group inherits the social networking filter's setting from Sixth form.
  • Bob's IP address is within the 10.1.2.0/24 network, which is in the Trusted email senders group.
  • The Trusted email senders branch of the tree forms this path from the root: EveryoneNetworksTrusted email senders.
  • The Trusted email senders group inherits the social networking filter's setting from Everyone.

The system now has two conflicting settings: the Year12 group has the social networking filter disabled (inherited from Sixth form) whilst the Trusted email senders group has the social networking filter enabled with its sensitivity set to 5 (inherited from Everyone). This is resolved by seeing that the Trusted email servers group's setting comes from Everyone whilst the Year12 group's setting comes from Students. Since Students is further away from the root of the tree, this setting takes priority, so the social networking category is not filtered.

Inheritance graph

We can see a similar set of events when Bob sends an email from the same workstation - the mail server determines that:

  • Bob is a member of the Year12 group, and no others.
  • The Year12 branch of the tree forms this path from the root: EveryoneStudentsSixth formYear12.
  • The Email clients can relay to external domains mail permission is ticked in Everyone.
  • The Bypass all mail restrictions mail permission is not ticked in Everyone.
  • The Students group inherits both mail server permissions from Everyone.
  • The Sixth form group inherits both mail server permissions from Students.
  • The Year12 group inherits both mail server permissions from Sixth form.
  • Bob's IP address is within the 10.1.2.0/24 network, which is in the Trusted email senders group.
  • The Trusted email senders branch of the tree forms this path from the root: EveryoneNetworksTrusted email senders.
  • The Trusted email senders group does not inherit the Bypass all mail restrictions permission from Everyone, and instead enables this permission.

Again, the system now has two conflicting settings: the Year12 group has the Bypass all mail restrictions permission unticked (inherited from Everyone) whilst the Trusted email senders group has the Bypass all mail restrictions permission ticked. As above, this is resolved by seeing that the Trusted email servers group's setting comes from itself, whilst the Year12 setting comes from Everyone. Since Trusted email senders is further away from the root of the tree, this setting takes priority, so Bob's emails won't be filtered. In both groups, the Email clients can relay to external domains settings are identical and come from the Everyone group, so this is not in conflict and Bob's email software can send emails to external domains.

Inheritance graph

If you are not sure which settings will apply, you can use the policy modelling reports to see what the resultant settings will be and how they were derived:

  • Reports > Web Proxy > Policy Modelling
  • Reports > Mail Server > Policy Modelling