A few feature changes have been rolled out to improve the functionality of GoGuardian Admin. Let's take a quick look at the new setup and what this means for users of GoGuardian Admin depending on their role and OU access. Users will only be able to edit or remove policies that affect OUs they have access to specifically. Only a super user can change the OUs a GoGuardian Admin user has access to via manage.goguardian.com.
This update directly affects the following:
- Syncing Org Units
- Editing and Assigning/Removing Policies on OUs
To sync Orgs Units, you will now find a circular arrow icon at the top of the page.
Working with Policies
You can find all of your Policies on the Configuration page by clicking Configuration > Policy List.
You can also search for Policies by the Policy name, the user responsible for creating it, or the last user to make edits on that Policy respectively. Any Policies that are grayed out are Policies that your account cannot interact with.
While viewing Policies, you can click the plus icon on the left of the Policy to see the 5 most recent actions taken on that Policy.
To edit a Policy, your account must have Filter & Monitor access or higher as well as appropriate OU access. If your account doesn't have access to an OU that a Policy is applied to, then you cannot edit that Policy in any way (you also cannot remove that Policy from an OU that you have access to).
Example: Admin user has access to the Milan OU, but does not have access to the top-level OU. The Tested policy is applied directly to the Milan OU. The Milan OU is inheriting the Default Policy from the top-level OU; which this admin user does not have access to.
Result: This admin user can edit and remove the Tested policy as desired because they have adequate OU access to the Milan OU (where this Policy is directly applied). But they cannot edit or remove the Default Policy because that Policy is applied to one or more OUs that this user does not have access to.
Because the Default Policy is inherited from a higher-level OU that the user does not have access to (indicated by the gray color of the Default Policy card), no edits can be made to the Default Policy and it cannot be removed from the Milan OU by anyone without OU access to the parent OU that the Default Policy is directly applied to.
The same rule applies to a non-parent OU.
Example: The admin has access to the Milan OU, but does not have access to the Paul Gomes School for boys OU. A third Policy was created called Second Example. Because that Policy was applied to be the Milan OU (which the user has access to) and the Paul Gomes School for boys OU (which the user does not have access to), this GoGuardian Admin user would not be able to edit or remove the Second Example Policy from the OU they have access to. In order to remove the Second Example Policy, a user with access to both the Milan OU and the Paul Gomes School for boys OU would need to make this change.
If you hover over the info icon next to any OUs you do not have access to, you will see this message about not having adequate OU access.
How can an admin without access make sure that their Policy's rules are effective?
Great question! The easy answer is to create a new Policy and apply it directly to the OU that they do have access to. Because locally applied Policy filtering rules take precedence over all other rules, creating a new Policy and adding any additional allowances or blocks will enforce any specific rules on the OU that the Policy is applied to in addition to all inherited rules from any inherited Policies.
In other words, if there's a block for a math site coming from an inherited Policy, that block will still apply to the OU that an admin has OU access to. But if that admin creates a new Policy and applies it directly to the OU they have access to, they can add an allowance rule for that site and that will take precedence over any inherited rules.
Tip: Keep your policies slim! One policy can contain many rules. The more policies you add, the more complicated it will be to understand and troubleshoot filtering. Keep as many rules as you can in one policy!