Virtual Groups

The Virtual Groups system provides an extremely powerful way to make automatic modifications to the settings based on some defined conditions. For example, you can use virtual groups to relax some of your filters when the sixth form are using workstations in supervised locations. The virtual groups tree is completely separate to the standard groups tree, and can be accessed through Users and Groups -> Virtual Groups.

Triggers

To tell the system when to apply a virtual group, a set of trigger conditions must be defined. Each trigger condition references a directory object (group, user, network or virtual group), and matches whenever that directory object is used. A virtual group can either be configured to activate when any of its conditions match, or only when all of its conditions match.

For example, consider the group tree below:

  • GROUP:Everyone
    • GROUP: Networks
      • NETWORK: 10.0.0.0/8
      • GROUP: Library Network
        • NETWORK: 10.12.3.0/24
    • GROUP: Students
      • GROUP: Year 12
        • USER: Alice

In this example, we can set up a virtual group called Students in Library with two triggers, one referencing the Library Network group and the other referencing the Students group. The Match all of the following option will be ticked in the Students in Library virtual group's triggers list.

Using the web proxy as an example, if Alice accesses the web from a workstation with IP address 10.12.3.100, the groups, users and networks will be evaluated to derive the settings as follows:

Inheritance graph

The Library Network group is on one of the paths between the Everyone group and the final result, and so the virtual group trigger which references the Library Network group will match. The Students group is also on one of the paths between the Everyone group and the final result, so the associated virtual group trigger will also match. The the Students in Library virtual group will be activated in this case, since its Match all of the following option is ticked.

As a counter example, if Alice is using a workstation with IP address 10.200.1.1, only the trigger which references with the Students group will match. The Library Network trigger won't match and the Students in Library virtual group will therefore not be activated:

Inheritance graph

To add a trigger condition, go to Users and Groups -> Virtual Groups, select the appropriate virtual group and click Add Trigger. A pop up window will show the groups and virtual groups tree, from which you can select the group or virtual group for the trigger to reference. You can also right-click a group in order to access the users and networks contained within it.

If you are in doubt as to whether a virtual group will be triggered as expected, use the appropriate policy modelling report to review the inheritance graphs.

Configuration

Settings can be added to the virtual groups in exactly the same way as they are to normal groups. For example, in Web Proxy -> Filter Categories, the virtual groups tree is shown at the bottom of the left hand column, and they can be selected and configured in the normal way.

When a virtual group is active, the settings are derived from the groups, users and networks as normal. The resulting configuration is then inherited by the root virtual group (Virtual Groups) and either inherited or overridden by the appropriate virtual groups. For the example above, this is the resultant inheritance tree:

Inheritance graph

The following example is the result of the web proxy being configured to block websites which fall into the Social Networking category for students, except when they are in the library:

Inheritance graph

Note that, just like the standard groups, it is possible for multiple virtual groups to apply at the same time. The resultant settings from each branch of the tree are merged together using the standard rules group inheritance rules. For example, this is another possible configuration:

Inheritance graph

The virtual groups system is extremely powerful, but care must be taken to ensure the configuration does not become overcomplicated. If you are in doubt as to how a virtual group will affect the configuration, use the appropriate policy modelling report to review the inheritance graphs.