# Console Reference Docs # Essential Concepts # Web Page Classification Web page classification analyzes the domain, URL, and most importantly, the words and phrases on *every page load* to tally a numerical score in one or more Categories for *that page load*. The filter Action configuration (Allow/Block/Ignore) for the top-scoring Category is then used to handle that particular page request. #### Traffic Visibility Prerequisites Webpage word and phrase analysis is only possible with full SSL/TLS decryption (`sslbump`), which is the default action for most1 web requests on TCP ports 80 (HTTP) and 443 (HTTPS). And, for this to work without browser security errors, all endpoint devices connecting through the DrawBridge must have the **DrawBridge Certificate Authority certificate** installed. See the page **SSL Certs** under the **Devices** module for more information. 1**Note:** for security reasons, banking and financial-related websites **are not TLS-decrypted**. It is assumed that these sites are safe from inappropriate content. You can verify a site is Not being TLS-decrypted by clicking the shield or padlock in your browser address bar and viewing the certificate. If the certicate is issued by a public Certificate Authority (and not your DrawBridge), you can know that the DrawBridge is Not intercepting the connection. **Also Note:** Certain web traffic (for example some cloud backup services and application traffic) that is not specification-compliant or is otherwise incompatible with content filtering are exempted at a firewall level from the traffic inspection on TCP ports 80 and 443. ## Example Visiting https://www.cabelas.com is most likely to score the most points in the Category `Hunting and Fishing`. * If the Action assigned to `Hunting and Fishing` is `Allow`, the Cabelas page will load as if nothing happened. * If the Action assigned to `Hunting and Fishing` is `Block`, a DrawBridge block page is loaded to inform the user that the request was blocked due to filter settings. * If the Action assigned to `Hunting and Fishing` is `Ignore`, the next-to-top scoring Category action is selected to handle the page load.
The option to `Ignore` is strongly discouraged except for special situations. If you decide to specify custom Actions for Categories, please only use `Allow` or `Block` to ensure most reliable filtering.
## Important Notes #### 1. About changing default Category Allow/Block settings The DrawBridge comes with a preset Action for each included (Built-in) Category. When you assign an Action (Allow/Block) to a Category, **you're simply applying a change that gets higher priority than the default setting.** #### 2. Default Category settings are Business-focused The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you may want to set more categories to **Allow** in your *Company Preferences* Access Policy, or in a custom Access Policy. For more information on Built-In Categories, including how to view default Actions, see **Content Filter: Categories: Built-In Categories** ## Further Reading For more information on Categories and Actions, including how to change the Action for a Category, see page **Overview and Essentials** under the **Content Filter** module. For more information on Certificates and Certificate Authorities, [this Wikipedia article on Public Key Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) may be helpful. ## FAQ: Is TLS inspection "bad" or "breaking encryption" or "weakening security"? In a word, **no** *(if implemented correctly)* Despite much negative press, blog posts by both [Cloudflare](https://blog.cloudflare.com/monsters-in-the-middleboxes/) and [US-CERT](https://www.cisa.gov/uscert/ncas/alerts/TA17-075A) acknowledge that legitimate use-cases (and secure methods) of TLS inspection exist. Some of the concerns raised in the two articles linked above are very valid. However, the DrawBridge filter engine is designed to follow industry best-practices to ensure that it doesn't downgrade security or mask upstream security flaws. Much of this debate boils down to two things: 1. Intention: Why is the TLS traffic being inspected? (legitimate or malicious?) 2. Privacy: Are the end-users aware of the inspection? (visible/policy or invisible/spycraft?) For #1: The DrawBridge employs TLS inspection to ensure content filtering properly classifies page content For #2: Yes: DrawBridge account holders need to purchase the content filter service and need to install a Certificate Authority for the service to work correctly. (It is the responsibility of account holders to inform any user of the service of the content monitoring and inspection.) This discussion leads to an even deeper question: *Who owns this device*? If you truly own a computer, for example, you should have the authority to decide what Certificate Authorities it will be allowed to trust, and with whom it will communicate. Thankfully, most platforms accomodate adding additional Certificate Authorities, enabling you to know and control the network traffic of your device. The notable exception is Android, because of [an alleged "security" decision by Google](https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html). While there were threats they were able to prevent by taking a scorched-earth no-user-CA-trust position1, this implementation also conveniently prevents auditing of the traffic of third-party apps and bundled Google apps. 1Exception: browser apps on Android will trust user-installed Certificate Authorities. # Record Model - Tenancy and Hierarchy # Record Tenancy The DrawBridge records are `multi-tenanted`. `Tenancy` is established by associating a record (such as Device Group, Access Policy, or Report) to a given tenant (see Types, below), and ensuring that other tenants cannot see those records. Four types of tenants are supported: Tenancy Type | Visibility | Permissions --- | --- | --- Company | Just that Company | Contacts assigned to this Company, contacts of the Accountability Policy associated with this Company Accountability Policy | All Member Companies | Contacts of the Accountability Policy Appliance | All Companies on that DrawBridge | Contacts of the Main Company Universal | All Companies on all DrawBridges | System Administrators In other words, the Tenancy Type of a record can be determined by looking at the association relationship(s): * A record assigned to a Company belongs to that company * A record assigned to an Accountability Policy is available to all Member companies * A record assigned to a System/Appliance applies to all tenant companies * A record with none of the above relationships is available to all companies everywhere. ### The Main Company All Companies on a DrawBridge are tenants, however, for proper record and configuration ownership, it is essential that one Company be the Main Company of a DrawBridge. The Main Company is the Owner of the DrawBridge, or the owner of the premise on which it is located. The Contacts on the Main Company are the only ones who can control System-wide settings, such as QoS, Firewall settings, DNS, and so forth. # Record Hierarchy Certain types of records can have have a "Parent"/"Child" designation: * **Accountability Policy:** An Accountability Policy can be a "Child" of another Accountability Policy, enabling the automatic inheritance of configuration settings at the "Parent" level, such as Report Presets. * **Category:** Built-in Categories are members of "Parent" categories for easy classification into genres. For example, Parent Category **Automotive** contains the following child categories: * `Automotive and Trucks` * `Automotive - Objectionable` * `Metals / Welding` * `Powersports` # Permissions and Relationships # Permissions **Permission Groups** in the DrawBridge Console are analagous to User [Groups](https://en.wikipedia.org/wiki/Group_(computing)) in typical operating systems.1 Permissions Groups are a way of assigning a particular Role to a Person: Adding a Person record to the `Accountability` permission group gives them the access and controls exclusive to `Accountability` and higher level permission groups. Person records are given the permissions by being added as a member of a particular Permissions Group. Permission Groups in the DrawBridge Console: Permission Group | Required Relationship | About --- | --- | ---- `Company Owner` | Company Owner | The owner of a Company `Appstore Access` | Company or Accountability Policy | Allows Person to Enable App Store Access on a Company record `Can Submit Autofix Requests` | Company | Allows use of the Autofix reclassification function `Can Submit Sites for Human Review` | Company | Allows submission of a Classification Review support ticket `Media Viewer` | Company | Allows classification of a video in the Media Room `Company Media Room Admin` | Company | Allows administration of a company Media Room `Report Viewer` | Company or Accountability Policy | Allows viewing of web activity Reports `System Owner` | Company Owner | Allows visibility and control of all Tenant Companies on that DrawBridge `ACL Pumpkineer` | Accountability Policy or Compass Foundation Staff | Allows creation and modification of ACLs `Accountablity` | Accountability Policy | Allows visibility and control of member Company configurations and reports `Device Detector Admin` | (?) | (?) `Realtime Log Viewer` | Company Owner of Main Company | Allows access to the system-wide Realtime Log Viewer `Reseller` | (?) | Allows visibility and control of all Tenant Companies on that DrawBridge `Sysadmin` | (?) | (?) 1For further advanced reading, see the [POSIX specification documentation](https://pubs.opengroup.org/onlinepubs/9699919799/) by The Open Group and IEEE. # Relationships Records in the DrawBridge console, particularly Person records, can have one or more relationship associations. For an analogy, consider how individual people in real life have different relationships to others, depending on their role: Parent-Parent, Parent-Child, Brother-Sister, and so forth. #### Relationships in the Console A **Person** can have the following relationships to **Companies**: * Owner * Associate * Tech Support * General Contact A **Person** can have the following relationships to an **Acountability Policy**: * Accountability Contact A **Company** can have the following relationship to an **Accountability Policy**: * Member # Examples Person *fred_smith* owns Company *Eastwood Trading Co*. He therefore is assigned a `Company Owner` Relationship, and added to the `Company Owner` Permissions Group. Company *Eastwood Trading Co.* has an on-premises DrawBridge, so *fred_smith* is also added to the `System Owner` Permissions Group. Person *jack_miller* is on the IT staff for *Eastwood Trading Co*. He is assigned a `Tech Support` Relationship, and added to the `Sysadmin` Permissions Group. # Accountability The DrawBridge supports an Accountability model to facilitate voluntary, centrally-administered, usage report sharing and content filter configuration of Member Companies by specified administrators in a community context. An Accountabilility Policy provides: * Central administration of Accountability-associated Report Presets and Access Policies for all Member Companies * All *Report Presets* of a Policy automatically propagate to all Member Companies. * Access Policies associated with an Accountability policy are made available to all Member Companies as a *Policy Group* that can be easily joined by Member Companies. Changes to that particular Access Policy (Group) automatically propagate to all Member Companies that are part of the Access Policy. * Accountability Contacts associated to that Accountability Policy can access report information and view filter policy configuration for that Company (see Accountability Policy Roles below). * Community Accountability-level Preference configurations to override Company-level Preference configurations (see Preferences page for more information). # Record Relationships The following records can be associated with an Accountability Policy Record: Record Type | About --- | --- **Person** | Accountability Contact: view reports and set configurations on Member Companies **Company** | Accountability Member Company: enable features detailed below # Policy Roles An Accountability Policy can be either type of Role: Role | About --- | --- **Reviewer** | Accountability Contacts have *read-only* access to member Company settings **Administrator** | Accountability Contacts have *read-write* access to member Company settings and diagnostic functions ## Role Features #### Administrator Designed for Accountability Policies who have members on the Policy with capable IT skills, understand the DrawBridge Console, and commit to remaining up-to-date with ongoing DrawBridge releases. #### Reviewer Designed for Accountability Policies who are primarily responsible for reviewing reports and Access Policies to confirm that settings are as expected. ##### Company Opt-in A Company Owner assigned to an Accountability Policy with the Reviewer Role may want his Accountability Contacts to have the Administrator Role on his company. If so, he can add the him as Company Staff to [grant the Administrator Role](https://books.compassfoundation.io/books/how-to-guides/page/grant-administrator-role). # Examples ### Administrator Role The people in the Golden Sands Christian Fellowship community want to have a uniform content filter policy across their brotherhood, as well as have specific individuals responsible to administer the policy and review all their web usage. To answer this need, the `Golden Sands Christian Fellowship` Accountability Policy is created with Administrator role, and several people are associated with it as Accountability Contacts (see Relationships page for more information). This Accountability Policy has several associations: * The people that are designated as `Accountability Contacts`. * A `Church Preferences` Access Policy that sets the Action on a number of Categories to Allow. * A `Summary` Report configured that displays the genres of information being accessed by each Company, to be sent to the designated Accountability Contacts. Those Companies using DrawBridge filtering in this context add the Golden Sands Christian Fellowship policy to their Company record. This performs the following: * Enables the specified Accountability Contacts to view the report data and filter configurations of all Member Companies in the DrawBridge Console. * Makes the centrally-administered `Church Preferences` Access Policy available to them to apply to their Company. * Each Company Owner then applies the `Church Preferences` Access Policy by assigning it to his *alldevices* Device Group. * Automatically configures the `Summary` report to the member Company, with delivery to the Accountability Contacts. ### Reviewer Role The people in the Salem Christian Fellowship community want to have a uniform content filter policy across their brotherhood. Either outside IT provider or Compass Foundation will administrate the settings and provide technical support. The `Salem Christian Fellowship` policy is created with the Reviewer role. They will have Read-Only access to review Reports and Access Policy settings. Any required changes will be channeled by the Company to IT Provider or Compass Foundation. # Preferences Preferences enable you to: * configure minimum Permission Groups required to perform a specific action (see Permissions and Relationships page for more information), and, * configure other feature thresholds and behaviors # Preference Tenancy Preference record tenancy association is available to both Companies and Accountability Policies. Each Preference Record has a field indicating the associated Company or Policy, thus communicating the tenancy association. If a Preference detailed here is not present on your DrawBridge, simply create it with the **+** button in the upper right corner of the list view for that Section. Then you can assign the Records to that Preference as desired. Preferences associated with an Accountablity Policy override any conflicting preferences associated with a Member Company. Priority | Relationship | Override lower priority configuration --- | --- | --- 1 | Accountability Policy | Yes 2 | Company Owner | (NA) To clarify: if there is no Accountability Policy associated with a Company, the notes about Accountability Policy override do not apply. # Preference Record Sections Heirarchy: * **Section** * **Preference** * **Record** As implemented: * **Filter Console** *(Section)* * **Access Valve Permissions** *(Preference)* * **Widen Access Privileges** *(Record)* and so forth * App Store Settings * Safe Search Settings * Media Room * Viewability * Channels * Block Page Overrides * AutoFix Settings * Human Review Settings # Preferences, in detail ## Filter Console #### Access Valve Permissions Record Name | Value | About --- | --- | --- **Widen Access Privileges** | `Company Owner` / `Accountability Contact` / `Accountability or Filter Admin` | Set minimum Permission Group required to set a Category to Allow **Restrict Access Privileges** | `Company Owner` / `Accountability Contact` / `Accountability or Filter Admin` | Set minimum Permission Group required to set a Category to Block #### App Store Settings Record Name | Value | About --- | --- | --- **Permission Group** | `Company Owner` / `Accountability Contact` / `Accountability or Filter Admin` | Set minimum Permission Group required to "open" an App Store #### Safe Search Settings Record Name | Value | About --- | --- | --- **Name of Service** eg. Bing, YouTube, etc | `Yes` / `No` | Enable the platform-provided Adult content blocking ## Media Room #### Viewability Record Name | Value | Contents | About --- | --- | --- | --- **Category Actions** | `Always Block Categories` / `Always Allow Categories` | List of Categories | Configure the Media Room action for specified Categories **Viewability Status** | `Allowed Categories Only` / `Allowed Category or Unclassified` / `Viewing Classified Media Disabled` | (N/A) | Configure the "permissiveness" of the Media Room In detail: * **Category Actions:** The Media Room will Allow or Block a video from playing based on the top-scoring category it scores/classifies as. The Category Actions records here allow you to set a list of Categories that will Always or Never play when a video has a top score in the category(ies) you specify. * **Viewability Status:** Set the behavior of the Media Room: * `Allowed Categories Only`: Only videos which have a top score in a Category set to Allow will play. Videos with a top score in a Category set to Ignore or Allow will not play. * `Allowed Category or Unclassified`: In addition to the videos matching Allowed Categories, above, if a classification can not be automatically made, the video will still be allowed to play. This is the most permissive setting. * `Viewing Classified Media Disabled`: The Media Room will not allow any videos to play, regardless of the classification. #### Channels Record Name | Value | About --- | --- | --- **Permission Group** | `Media Admin` / `Accountability Contact` / `Accountability or Filter Admin` | Set minimum Permission Group required to add a Channel for automatic classification ## Block Page Overrides #### AutoFix Settings Record Name | Value | Contents | About --- | --- | --- | --- **Category Actions** | `Always Allow Categories` / `Always Block Categories` | List of Categories | Always Allow or Block the AutoFix request for specified categories **Level 1 Enabled** | `Yes` / `No` | (N/A) | Enable AutoFix Level 1 behavior **Level 2 Enabled** | `Yes` / `No` | (N/A) | Enable AutoFix Level 2 behavior **Level 3 Enabled** | `Yes` / `No` | (N/A) | Enable AutoFix Level 3 behavior **Skip Owner Confirmation** | `Yes` / `No` | (N/A) | Specify whether Company Owner contact confirmation is required for an Autofix request. If Owner Confirmation is required, an AutoFix request will email the Company Owner contact, who will need to sign-in and approve the request before it can proceed. #### Human Review Settings Record Name | Value | Contents | About --- | --- | --- | --- **Category Actions** | `Always Allow Categories` / `Always Block Categories` | List of Categories | Always Allow or Block the AutoFix request for specified categories **Skip Owner Confirmation** | `Yes` / `No` | (N/A) | Specify whether Company Owner contact confirmation is required for an Autofix request. If Owner Confirmation is required, a Human Review request will email the Company Owner contact, who will need to sign-in and approve the request before it can proceed. # Preference Record View Create a preference record by clicking the **+** button in the upper right of the list view in any of the Sections above. Edit a Preference record by clicking the green pencil Edit button on the relevant line. View a Preference record by clicking on the blue navigate-symbol View Preference button on the relevant line. Each Preference record will display: Parameter | About --- | --- **Company**/**Policy** | The tenancy association (Company or Accountability Policy) of the record **Canonical ID** | The globally-unique identifier for the record **Preference Setting** | What the record does Records which contain Category List views have these options: * Add a Category with the **+ Add** button above the list area * Remove a Category with the red trashcan Delete button on the relevant Category line # Accounts # People A person entity is required to sign-in and use the DrawBridge web portal. Additionally, Person records are associated with Companies, and, optionally, Accountability Policies. View the Active People list by clicking **Accounts**, then **People** in the left menu bar. Click the Name of a Person in the list to view the Record for that person. ### Person Record View A Person record contains the following parameters: Parameter | About --- | --- **Name** | Display Name **Email** | Email address **Mobile** | (Optional) Mobile phone number **Canonical ID** | The global unique identifier **Last Active** | Timestamp of last sign-in activity; see Sessions informational tab, below **Person Record header buttons:** * **Add** a new Person record with the blue **+** Create Person button * **Edit** this Person record with the green pencil Update Person button * **Delete** this Person record with the red trashcan Delete Person button * **Impersonate User** (take on the identity and permissions of this user in the DrawBridge; used for troubleshooting) * **Merge Person records** with the blue picture-frame "Merge other Person records into this one" button * Hamburger menu: * **Set Console Password**: set a DrawBridge Console password for this Person * **Create Tabula account**: see **Additional Services: Tabula** for more information * **Add Group Membership**: add this Remote Device User to a Console Permission Group (see Informational Tabs: Permissions, below) * **View Realtime Log Lines**: jump to the Realtime Log Viewer, with the data view limited to this device * **Today's Log Lines**: jump to the the *Reports* module with the device pre-selected in data views * **Record Activity Stream**: view the changelog for this Device record * **Bookmark** this record with the ribbon Bookmark button * Sync Menu (chain-link icon) * **Sync Mode** (default is `2 Way - Push / Pull from Server`); click record sync information * **Push to Sync Publisher**: initiate a record update push from this DrawBridge to the Sync Server * **Pull from Sync Publisher**: initiate a record update pull to this DrawBridge from the Sync Server * **Mark to Resync**: flag this record in the background to be included in the next sync run ### Informational Tabs Data associated with this Person: * **Bookmarks:** List view of any console shortcuts * Add a bookmark by clicking the Ribbon button on any record in the Console * Delete a bookmark with the red trashcan Delete button on the relevant Bookmark line here * **Companies:** List view of any associated Company relationships * Add a Company relationship with the `Add Company Staff Relationship` button * Edit a Company relationship with the green pencil Update button on the relevent line * Delete a Company relationship with the red trashcan Delete button on the relevant line * View Company Relationship history log with the blue Record Activity Stream button on the relevant line * **Policies:** List view of any associated Accountability Policy relationships * Add an Accountability Policy relationship with the `Add Accountability Policy Relationship` button * Edit an Accountability Policy relationship with the green pencil Update button on the relevent line * Delete an Accountability Policy relationship with the red trashcan Delete button on the relevant line * View an Accountability Policy relationship history log with the blue Record Activity Stream button on the relevant line * **Devices:** List view of any associated Devices * Add a Remote Device relationship with the `Add Remote Device` button * Edit a Remote Device relationship with the green pencil Update button on the relavant line * Delete a Remote Device relationship with the red trashcan Delete button on the relevant line * View a Remote Deice relationship history log with the blue Record Activity Stream button on the relevant line * **Permissions:** List view of any associated Permission Groups and Proxy User Groups * Add a Permission Group membership relationship with the `Add Permission` button * Add a Proxy User Group membership relationship with the `Add to Proxy Users Group` button * Edit a Group relationship with the green pencil Update button on the relevant line * Delete a Group relationship with the red trashcan Delete button on the relevant line * View a Group relationship history log with the blue Record Activity Stream button on the relevant line * **Sessions:** List view of all active/signed-in Console sessions this User has on this DrawBridge. Fields: * Last Updated: timestamp of last activity * IP: IP Address of last activity * Client: the User-Agent reported by the last activity ## Unrelated People Unrelated People are People records that have no Company or Accountability Policy relationship assigned. This list should generally be empty. ## Inactive Relationships This is a list of `Person - Company` or `Person - Accountability Policy` Relationships that have been set to `Inactive`. This list should generally be empty. # Companies A Company record is essential to using the DrawBridge: all People records and Device records must be associated with a Company record (or an Accountability Policy) to enable full use of their functionality. If your Company is the only company present on your DrawBridge, clicking on **Accounts: Companies** will jump directly to your Company record view. If more than one Company is present on a DrawBridge, and your sign-in credentials are part of a System Owner permissions group or higher, a list view of the Company records will be displayed when `Companies` is clicked in the left menu bar. Click the Name of the company to view the Company Record. See **Essential Concepts: Record Model - Tenancy and Hierarchy** for further information about multi-tenancy. The Company record view is your headquarters for viewing important data on your account, and also for jumping to other places in the DrawBridge to make configuration changes for your Company. ## Record View ##### Name of Company Parameter | About --- | --- **Status** | This record is `Active` / `Inactive` **Main** | `Yes`/`No`: indicates whether this Company record is designated as the Main Company for this DrawBridge. **Log Server Account** | Optional: Account number on the Log Server; see **Reports: Log Processing** for more information **Canonical ID** | The globally-unique identifier for this record Link: **Log Batches** -- jumps you to the list of Log Batches configured for this Company. See **Reports: Log Processing** for more information. Link: **Sync Settings** -- jumps you to the Appliance Companies record. See **System: Configuration: Appliance Companies** for more information. **Company Record header buttons:** * Add a new Company record with the blue **+** Add Company button * Edit this Company record with the green pencil Update Company button * Delete this Company record with the red trashcan Delete Company button * Hamburger menu: * Today's Log Lines: jump to Reports: Browse by Loglines -- view web activity access logged today * Report History: jump to Report Archives * Record Activity Stream: view the changelog for this record * Bookmark this page with the ribbon Bookmark button * Sync Menu (chain-link icon) * Sync Mode (default is `2 Way - Push / Pull from Server`); click record sync information * Push to Sync Publisher: initiate a record update push from this DrawBridge to the Sync Server * Pull from Sync Publisher: initiate a record update pull to this DrawBridge from the Sync Server * Mark to Resync: flag this record in the background to be included in the next sync run ### Informational Tabs ##### Local Devices List of Local Device records on this DrawBridge. See **Devices: Local Devices** for more information. Create a new Local Device record with the `New Local Device` button. Manipulate existing Local Device records in the list view by clicking the desired button on the relevant line: * Edit a record with the green pencil Update Record button * Delete a record with the red trashcan Delete button * View the record changelog with the blue Record Activity Stream button ##### Remote Devices List of Remote Devices records on this DrawBridge. See **Devices: Remote Devices** for more information. Create a new Remote Device record with the `New Local Device` button. Manipulate existing Remote Device records in the list view by clicking the desired button on the relevant line: * Edit a record with the green pencil Update Record button * Delete a record with the red trashcan Delete Record button * View the record changelog with the blue Record Activity Stream button ##### Contacts List of Person records with a Relationship to the Company. See **Accounts: People** for more information. Add a new Person--Company relationship with the `Add Company Staff Relationship` button. Manipulate existing Relationship records in the list view by clicking the desired button on the relevant line: * Edit a record with the green pencil Update Record button * Delete a record with the red trashcan Delete Record button * View the record changelog with the blue Record Activity Stream button ##### Reports List of configured Reports associated with this Company. See **Reports: Scheduled Reports** for more information. Add a Report with the `Schedule New Report` button. Manipulate existing Scheduled Report records in the list view by clicking the desired button on the relevant line: * Edit a record with the green pencil Update Record button * Delete a record with the red trashcan Delete Record button * View the record changelog with the blue Record Activity Stream button ##### Appliances Displays the Appliance record associated with this Company. See **System: Configuration: Appliance Companies** for more information. ### Dashboard buttons ##### Access Policies -- Access Policy Dashboard Jump to the Access Policy Dashboard for this Company, which displays all the Access Policies which apply to the devices of this Company. See **Content Filter: Web Page Access** for more information. ##### Activity Viewers -- Loglines & Reports Jump to Report Activity Viewers. See **Reports: Activitity Viewers** for more information. ##### Preferences -- Preferences Dashboard Jump to any Preferences associated with this Company. See **Essential Concepts: Preferences** for more information. ##### Accountability Policy -- ("Policy Name" or "None") Jump to associated Accountability Policy (if applicable). If this Company is a Member of an Accountability Policy, the name will be displayed. If the Company is not a Member of any Accountability Policy, it will display "None". See **Essential Concepts: Accountability** and **Accounts: Accountability Policies** for more information. # Inactive Companies Inactive Companies are Company Records which have had the Status changed from Active to Inactive. # Accountability Policies As noted on the **Accountability** page under the [**Essential Concepts**](https://books.compassfoundation.io/books/console-reference-docs/page/accountability) chapter: > The DrawBridge supports an Accountability model to facilitate voluntary, centrally-administered, information sharing and content filter configuration of Member Companies by specified administrators in a community context. An Accountability Policy consists of the Accountability Policy name and contains Member Companies. Also, an Accountability Policy contains Preferences (specific controls over member companies) and configures Report Presets (default report settings and recipients) for member companies. ## Record view Link: **Assigned Companies** -- list view of Companies associated with this Accountability Policy Parameter | Setting or Data | About --- | --- | --- **Parent** | `As of November 2023, the Network Access
module has been renamed to Content Filter
.
Create and manage rulesets to control the web content access of Local and Remote Devices.
## Important Notes:
#### 1. About changing default Category Allow/Block settings
The DrawBridge comes with a preset Action for each included Category. When you assign an Action (Allow/Block) to a Category, **you're simply applying a change that gets higher priority than the default setting.** This means:
1. You don't need to re-specify your Action preference for every built-in Category -- you only need to include the Categories in your Access Policy that you wish to assign a different action to than is default.
**For example:** built-in Category **Sports** is set to a default action of **Block**.
* If **Block** is the action you prefer, you *do not* need to add it to an Access Policy (eg. Company Preferences) with an action of **Block** -- the default setting is already doing this.
* If **Allow** is the action you prefer, then you *do* need to add it to an Access Policy (eg. Company Preferences) with an action of **Allow** to override the default action.
2. In the event a custom Access Policy is removed, the filter will revert to the default Action for that Category.
#### 2. Default Category settings are Business-focused
The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you will want to set more categories to **Allow** in your *Company Preferences* Access Policy, or in a custom Access Policy.
## Categories, Category Types, and Actions
Categories contain **Patterns**:
**Pattern**: a text string representing a domain or [regular expression](https://www.regular-expressions.info).
Categories can be one of two types:
* Classifier category
* ACL (Access Control List) category
Actions that can be assigned to a category, by type:
* Classifier category:
* Allow
* Block
* Ignore
* ACL category:
* Whitelist (allow in spite of Classifier score, above)
* Blacklist (block in spite of Classifier score, above)
* Blanketblock (block all requests Not matching these patterns)
## Understanding Classifier categories
Classifier category patterns consist primarily of word and phrase lists (and also domains). The Redwood filter engine evaluates HTTP/S requests and responses and totals up a score for all categories with matching patterns. Then Redwood applies the action (Allow/Block) assigned to the top-scoring category.
Built-in Category patterns are managed by Compass Foundation. If you have improvements you wish to have considered for inclusion in the Built-in Categories, please send a detailed email to support@compassfoundation.io.
## Understanding ACL actions & categories
### Background
The Redwood filter engine analyzes all the components of a [URL](https://en.wikipedia.org/wiki/URL), including:
* Schema
* Top-level Domain (TLD), Domain, and Subdomains
* Path
* Query String
[![url-breakdown-diagram--url.png](https://books.compassfoundation.io/uploads/images/gallery/2022-10/scaled-1680-/url-breakdown-diagram-url.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-10/url-breakdown-diagram-url.png)
Also, Redwood analyzes additional parameters of the HTTP request:
* Method
* Content Type
* User Agent
* Referrer
* and more
Illustrated:
[![url-breakdown-diagram--additional-parameters.png](https://books.compassfoundation.io/uploads/images/gallery/2022-10/scaled-1680-/url-breakdown-diagram-additional-parameters.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-10/url-breakdown-diagram-additional-parameters.png)
In general, an ACL leverages one or more of these parameters to "tag" a specific action to a request, despite the Category score assigned to the request by the Classifier.
(In other words, this prevents an "arms-race" situation wherein competing actions are assigned by various Classifier categories; an ACL action will always take effect when the parameters match, no matter what the Classifier score and associated Category Action is.)
Note: for an ACL action to fire, the request must meet the minimum threshold score of 200 points. At that point, the action assigned by the ACL to the request is "authoritative", again, no matter the Classifier score.
##### Redwood ACL Actions
Action | About
--- | ---
`allow` | permit the request
`block` | deny the request
`ignore` | do not factor in the score assigned by this category
`censor_words` | strip out profanity
`disable_proxy_headers` | strip out the X-FORWARDED-FOR header
`hash_image` | generate a mathmatical hash of this picture
`phrase_scan` | evaluate content for matching word phrases
`require_auth` | force HTTP 407 proxy authentication response/challenge
`sslbump` | intercept the SSL/TLS encrypted session
`sslbypass` | do Not intercept the SSL/TLS encrypted session
`virus_scan` | hand off response to external analysis engine
For example, ACLs managed behind-the-scenes of the DrawBridge instruct Redwood to fire the SSL/TLS-inspection action on all requests (or not, in the case of SSLbypass/"Bypass Filter").
### ACL Categories in the Console
Categories of the the type ACL enable you to leverage the "authoritative" nature of ACLs in your filter configuration.
In general, it is recommended to configure the desired content filter behavior by assigning Allow or Block to the built-in Classifier categories -- leveraging the "intelligence" built-in to these categories is a much less maintenance-intesive route to content control.
However, perhaps you want to Always assign a specific action (eg. Block) to a specific website. ACL categories are your friend in such a case: by adding a domain to an ACL category with a Block action assigned, the website will always block, even if the action assigned to the Classifier category is Allow.
The preset Always Allow and Always Block options in the Access Policy Dashboard are putting the domains in an ACL category that has the corresponding action assigned to it. These apply Company-wide.
Note: the default score assigned to all ACL category patterns is "1500". Adjusting this number will have **no impact** on the outcome of the action taken for that pattern, so long as the number is over the minimum score threshold of 200 -- the key detail here is that the pattern is part of an ACL category, so the action assigned to the ACL category is what will happen.
### Advanced ACLs in the Console
Advanced ACLs simply expose many more "knobs" to apply a specific action with more granularity. Perhaps, for example, you want to only sslbypass a specific website for a specific Device Group. Advanced ACLs give you the toolset to configure that.
## Filter Actions FAQ
* **Q:** What happens if I put a domain in both Always Allow and Always Block? Or what if I put a domain in two different ACL categories with competing actions assigned?
* **A:** Don't do that. :) In such a case, the outcome will be arbitrary. Decide what action you really want to have happen and adjust the policy accordingly.
--------------
# What is an Access Policy?
An Access policy is the grouping of Devices, Actions, Times, (and, optionally, Applications) to create a customized DrawBridge content filter configuration.
This diagram illustrates:
[![accesspolicy.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/accesspolicy-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/accesspolicy-drawio.png)
The Drawbridge supports the "stacking" or "layering" of Access Policies, enabling you to tailor the content filter experience for your users.
## Access Policies by Type/Scope
Tenancy Type | Ruleset Scope
--- | ---
Company Access Policy | one Company
Access Policy Group | one Accountability Policy; available to apply to member Companies
Universal Access Policy Group | globally available to all DrawBridges
System Access Policy | a specific DrawBridge; applies to all tenant Companies on that system
# What is a Rating?
The DrawBridge classifies text into categories. But what is the the tone of these categories? And what do they values do they represent? A Rating system should help answer that question, as well as offer visual clues for the report reader.
But what kind of rating system? Unlike other filter projects, the DrawBridge does not rate content by who it's appropriate for - as in Everyone / Teens / Adults - but somewhat more like *where* it is appropriate. The rating names are drawn from the concept of particulate filtering - how fine or coarse is the filter mesh that would permit the content to traverse it.
A key assumption here is that the Internet is most frequently being used in a workplace environment, facilitating the everyday tasks of research, transactions, and commerce. Usage reports are colorized according to the Category Ratings of the content that was accessed.
### Misc Rating
The Misc Rating is used when no category of interest could be found. Perhaps the request incident was not text-based, or perhaps a category needs to be extended or created to for this type of situation.
### Base Rating
The Base Rating is the most general grade, including categories like Search Engines or Technology Services. Any more specific category and rating would be preferred. For example, it's great to know that a body of text is about
Search Engines, but it's better to know what is being searched for.
### Silt Rating
The Silt Rating is expected usage in the workplace environment. While not every workplace will commonly access every category in the Silt Rating, any given user in the business environment will periodically need most
categories found here.
It is recommended that all categories in the Silt Rating be "allowed" in the workplace, although policies can be created to limit access to given devices.
### Sand Rating
The Sand Rating will still be frequently used in the workplace environment, although the industry type will
very much determine how much categories in Sand Rating are accessed.
Categories in the Sand Rating can be "allowed" or "blocked" per the business owner's preferences or the preferences established by the Accountability Policy.
### Pebble Rating
The Pebble Rating contains categories that generally fall outside the workplace, while remaining universally
pertinent to other areas of life, such as Medical, News, Clothing, etc.
Categories in the Pebble Rating can be "allowed" or "blocked" per the business owner's preferences or the
preferences established by the Accountability Policy.
### Stone Rating
The Stone Rating contains categories that are increasingly beyond the scope of any type of workplace, reaching more into popular culture and society at large.
Categories in the Stone Rating will typically be blocked by most business owners and school administrators.
### Rock Rating
The Rock Rating contains categories that tend to represent the rougher edges of popular culture and general society.
Categories in the Rock Rating will typically be blocked by all business owners and school administrators.
### Boulder Rating
The Boulder Rating categories that represent the "redlight" district of the Internet. These categories cannot
be enabled in the Redwood Console even by administrators.
Categories in the Boulder Rating are always blocked, and cannot be allowed in the DrawBridge.
# Actions for Classifier categories
Action | When this category is the top-scoring one on a web request:
--- | ---
`allow` | web request content loads as expected
`block` | web request is served a block page instead of the original destination webpage
`ignore` | web request action referred to next-to-top scoring category
##### When to use the `ignore` Action
In most situations, the category action should be `allow` or `block`, but in some situations the next-to-top scoring category is more meaningful. For example, an automotive shop may perform work that overlaps with the Racing category. If Racing is set to `block`, the shop's activities will be hampered. If Racing is set to `allow`, then access may be wider than desired.
Solution - set Racing to `ignore`. If next-to-top-scoring category is Automotive, the page will be allowed, and if it's Sports, the page will be blocked as Sports.
##### Filter processing flowchart: Category Filtering
[![Defaultfilter.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/defaultfilter-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/defaultfilter-drawio.png)
# Actions for ACL categories
Action | About
--- | ---
`whitelist` | A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. ***Use with caution!***
`blacklist` | A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Block, in spite of the content scores.
`blanketblock` | A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply *regular category-based filtering* **and** block access to all other sites **not specified** in the blanketblock category (or a linked category)
See below for more information:
### Whitelist
A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. ***Use with caution!***
##### Filter processing flowchart:
[![Whitelistfilter.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/whitelistfilter-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/whitelistfilter-drawio.png)
### Blacklist
A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Block, in spite of the content scores.
##### Filter processing flowchart:
[![Blacklistlistfilter.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/blacklistlistfilter.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/blacklistlistfilter.png)
### Blanketblock
A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply *regular category-based filtering* **and** block access to all other sites **not specified** in the blanketblock category (or a linked category)
##### Filter processing flowchart:
[![Blanketblock2.drawio.png](https://books.compassfoundation.io/uploads/images/gallery/2022-09/scaled-1680-/blanketblock2-drawio.png)](https://books.compassfoundation.io/uploads/images/gallery/2022-09/blanketblock2-drawio.png)
# Web Page Access
Access Policies are grouped by Tenancy type:
* **Company**
* **Policy Group**
* **Universal**
* **Appliance/System**
See **Essential Concepts: Record Model - Tenancy and Hierarchy** for more information.
Click the type of Access Policy for a list view of that type.
In the list view, view a specific Access Policy by clicking on the Name of the policy. This will display the Record view for its type, detailed below.
## Company Access Policy record
Attribute | About
--- | ---
**Company** | the associated Company
**Policy** | the associated Accountibility Policy (If there is none, this field will not appear)
**Status** | this record is Active or Inactive
**Canonical ID** | the global unique identifier for this Access Policy; used for synchronization
**Company Policy Dashboard [link]** | jump to the Access Policy Dashboard of the associated Company (above)
**Type** | the tenancy type of the Access Policy
**Hits Today**| a counter of how many times web traffic has triggered this policy today on this DrawBridge
**Device Group** | the associated Device Group: who the Access Policy is applied to
**Action Group** | the associated Action Group: what the Access Policy is enforcing
**Time Group** | the associated Time Group: when the Access Policy is effective. ***Optional***: if no Time Group is configured, the Access Policy applies all the time.
**Application Group** | the associated Application Group: which application traffic the Access Policy acts upon. ***Optional***: if no Application Group is configured, the Access Policy will apply to the traffic from all applications.
**Record menu header buttons:**
Action items in the upper right corner of the Access Policy record page:
* **Create Access Policy** with the **+** button
* **Update Company Access Policy** with the pencil Edit button -- make changes to this access policy.
* **Delete Company Access Policy** with the trashcan Delete button -- delete this access policy
* **"Hamburger Menu"**
* **Record Activity Stream:** view the changelog for this Access Policy record
* **Bookmark** the page with the ribbon Bookmark icon
* **Trigger Sync actions** with items in the the chain-link sync icon menu
#### Informational Tabs
* **Devices:** List view of the member devices in the associated Device Group
* **Categories:** List view of the Categories contained in the associated Action Group.
* Add an additional Category to the Action Group with the `Add Category Action Pair` button, or add multiple Categories at once with the `Bulk Assign Categories` button.
* Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil `Update Record` button on the specific Category line desired.
* Remove a Category from the Action Group with the trashcan `Delete` button.
**Note:** removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category).
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action
* **Times:** List view of the Time Range(s) from the associated Time Group when this Policy is effective. ***Note:*** this tab only displays if a Time Group is assigned to the Policy.
* Add a Time Range with the `Add Time Range` button.
* Edit a Time Range with the pencil `Update Record` button on the time range line in focus
* Delete a Time Range with the trashcan `Delete Record` button on the time range line in focus
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times.
* **ACL Actions:** Special access control list actions that are assigned to this access policy.
* Add an ACL action with the `Add ACL Action` button
* Edit an ACL Action with the pencil `Update Record` button on the ACL Action line in focus
* Delete an ACL action with the trashcan `Delete Record` button on the ACL Action line in focus
* **Permissions:** The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy.
* See the Permissions and Relationships in Essential Concepts for more information.
## Access Policy Group record
Attribute | About
--- | ---
**Policy** | the associated Accountibility Policy (If there is none, this field will not appear)
**Status** | this record is Active or Inactive
**Canonical ID** | the global unique identifier for this Access Policy; used for synchronization
**Type** | the tenancy type of the Access Policy
**Hits Today** | a counter of how many times web traffic has triggered this policy on this DrawBridge
**Device Group** | the associated Device Group: who the Access Policy is applied to
**Action Group** | the associated Action Group: what the Access Policy is enforcing
**Time Group** | the associated Time Group: when the Access Policy is effective. ***Optional***: if no Time Group is configured, the Access Policy applies all the time.
**Application Group** | the associated Application Group: which application traffic the Access Policy acts upon. ***Optional***: if no Application Group is configured, the Access Policy will apply to the traffic from all applications.
**Record menu header buttons:**
* **Create Access Policy** with the **+** button
* **Update Access Policy Group** with the pencil Edit button -- make changes to this access policy.
* **Delete Access Policy Group** with the trashcan Delete button -- delete this access policy
* **"Hamburger Menu"**
* **Add Device Group:** assign an additional Device Group to this Access policy Group
* **Record Activity Stream:** view the changelog for this Access Policy record
* **Bookmark** the page with the ribbon Bookmark icon
* **Trigger Sync actions** with items in the the chain-link sync icon menu
#### Informational Tabs
* **Device Groups:** List view of the member device groups in the associated Device Group collection.
* **Categories:** List view of the Categories contained in the associated Action Group.
* Add an additional Category to the Action Group with the `Add Category Action Pair` button, or add multiple Categories at once with the `Bulk Assign Categories` button.
* Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil `Update Record` button on the specific Category line desired.
* Remove a Category from the Action Group with the trashcan `Delete` button.
**Note:** removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category).
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action
* **Times:** List view of the Time Range(s) from the associated Time Group when this Policy is effective. ***Note:*** this tab only displays if a Time Group is assigned to the Policy.
* Add a Time Range with the `Add Time Range` button.
* Edit a Time Range with the pencil `Update Record` button on the time range line in focus
* Delete a Time Range with the trashcan `Delete Record` button on the time range line in focus
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times.
* **ACL Actions:** Special access control list actions that are assigned to this access policy.
* Add an ACL action with the `Add ACL Action` button
* Edit an ACL Action with the pencil `Update Record` button on the ACL Action line in focus
* Delete an ACL action with the trashcan `Delete Record` button on the ACL Action line in focus
* **Permissions:** The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy.
* See the Permissions and Relationships in Essential Concepts for more information.
## Universal Access Policy Group record
Attribute | About
--- | ---
**Status** | this record is Active or Inactive
**Tenancy** | displays tenancy; this record is Universal
**Canonical ID** | the global unique identifier for this Access Policy; used for synchronization
**Type** | the tenancy type of the Access Policy
**Hits Today** | a counter of how many times web traffic has triggered this policy on this DrawBridge
**Device Group** | the associated Device Group: who the Access Policy is applied to
**Action Group** | the associated Action Group: what the Access Policy is enforcing
**Time Group** | the associated Time Group: when the Access Policy is effective. ***Optional***: if no Time Group is configured, the Access Policy applies all the time.
**Application Group** | the associated Application Group: which application traffic the Access Policy acts upon. ***Optional***: if no Application Group is configured, the Access Policy will apply to the traffic from all applications.
**Record menu header buttons:**
* **Create Access Policy** with the **+** button
* **Update Universal Access Policy** with the pencil Edit button -- make changes to this access policy.
* **Delete Universal Access Policy** with the trashcan Delete button -- delete this access policy
* **"Hamburger Menu"**
* **Add Device Group:** assign an additional Device Group to this Access policy Group
* **Record Activity Stream:** view the changelog for this Access Policy record
* **Bookmark** the page with the ribbon Bookmark icon
* **Trigger Sync actions** with items in the the chain-link sync icon menu
#### Informational Tabs
* **Device Groups:** List view of the member device groups in the associated Device Group collection.
* **Categories:** List view of the Categories contained in the associated Action Group.
* Add an additional Category to the Action Group with the `Add Category Action Pair` button, or add multiple Categories at once with the `Bulk Assign Categories` button.
* Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil `Update Record` button on the specific Category line desired.
* Remove a Category from the Action Group with the trashcan `Delete` button.
**Note:** removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category).
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action
* **Apps:** List view of the apps in the associated Application Group ***Note:*** this tab only displays if an Application Group is assigned to the Policy.
* Add an Application with the `Add Application` button.
* Edit a Application with the pencil `Update Record` button on the application line in focus
* Delete an Application with the trashcan `Delete Record` button on the application line in focus
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Application to the Appilcation Group, as well as the specified Applications.
* **Times:** List view of the Time Range(s) from the associated Time Group when this Policy is effective. ***Note:*** this tab only displays if a Time Group is assigned to the Policy.
* Add a Time Range with the `Add Time Range` button.
* Edit a Time Range with the pencil `Update Record` button on the time range line in focus
* Delete a Time Range with the trashcan `Delete Record` button on the time range line in focus
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times.
* **ACL Actions:** Special access control list actions that are assigned to this access policy.
* Add an ACL action with the `Add ACL Action` button
* Edit an ACL Action with the pencil `Update Record` button on the ACL Action line in focus
* Delete an ACL action with the trashcan `Delete Record` button on the ACL Action line in focus
* **Permissions:** The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy.
* See the Permissions and Relationships in Essential Concepts for more information.
## System Access Policy record
Attribute | About
--- | ---
**Company** | the associated Company; this will be the Main Company on the DrawBridge
**Status** | this record is Active or Inactive
**Tenancy** | displays tenancy; this record is Universal
**Canonical ID** | the global unique identifier for this Access Policy; used for synchronization
**Type** | the tenancy type of the Access Policy
**Hits Today** | a counter of how many times web traffic has triggered this policy on this DrawBridge
**Device Group** | the associated Device Group: who the Access Policy is applied to
**Action Group** | the associated Action Group: what the Access Policy is enforcing
**Time Group** | the associated Time Group: when the Access Policy is effective. ***Optional*** if no Time Group is configured, the Access Policy applies all the time.
**Application Group** | the associated Application Group: which application traffic the Access Policy acts upon. ***Optional***: if no Application Group is configured, the Access Policy will apply to the traffic from all applications.
**Record menu header buttons:**
* **Create Access Policy** with the **+** button
* **Update System Access Policy** with the pencil Edit button -- make changes to this access policy.
* **Delete System Access Policy** with the trashcan Delete button -- delete this access policy
* **"Hamburger Menu"**
* **Add Device Group:** assign an additional Device Group to this Access policy Group
* **Record Activity Stream:** view the changelog for this Access Policy record
* **Bookmark** the page with the ribbon Bookmark icon
* **Trigger Sync actions** with items in the the chain-link sync icon menu
#### Informational Tabs
* **Device Groups:** List view of the member device groups in the associated Device Group collection.
* **Categories:** List view of the Categories contained in the associated Action Group.
* Add an additional Category to the Action Group with the `Add Category Action Pair` button, or add multiple Categories at once with the `Bulk Assign Categories` button.
* Edit the Action (Allow/Ignore/Block) of a listed Category by clicking the pencil `Update Record` button on the specific Category line desired.
* Remove a Category from the Action Group with the trashcan `Delete` button.
**Note:** removing a Category from an Action Group will return the Action setting for that particular Category to the Action assigned to it in the default DrawBridge configuration (unless another Action Group includes that Category).
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Category to the Action Group, as well as the assigned Action
* **Apps:** List view of the apps in the associated Application Group ***Note:*** this tab only displays if an Application Group is assigned to the Policy.
* Add an Application with the `Add Application` button.
* Edit a Application with the pencil `Update Record` button on the application line in focus
* Delete an Application with the trashcan `Delete Record` button on the application line in focus
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Application to the Appilcation Group, as well as the specified Applications.
* **Times:** List view of the Time Range(s) from the associated Time Group when this Policy is effective. ***Note:*** this tab only displays if a Time Group is assigned to the Policy.
* Add a Time Range with the `Add Time Range` button.
* Edit a Time Range with the pencil `Update Record` button on the time range line in focus
* Delete a Time Range with the trashcan `Delete Record` button on the time range line in focus
* The `Record Activity Stream` button on each line provides an audit history log of changes to the association of this Time Range to the Time Group, as well as the specified Times.
* **ACL Actions:** Special access control list actions that are assigned to this access policy.
* Add an ACL action with the `Add ACL Action` button
* Edit an ACL Action with the pencil `Update Record` button on the ACL Action line in focus
* Delete an ACL action with the trashcan `Delete Record` button on the ACL Action line in focus
* **Permissions:** The permission level required to edit the patterns or the category association actions and the ability to enter the policy or exit the policy.
* See the Permissions and Relationships in Essential Concepts for more information.
# App Stores
# Allow access to platform App stores
Access to operating system app stores is blocked by default because they cannot be internally content-filtered.
Quick-access wizards to add Device Groups to preconfigured App Store Access Policy Groups, by platform:
* **Apple** (iPhoneOS/iPadOS/MacOS)
* **Google Play** (Vision phones, Android up to and including version 6, ChromeOS, Chrome Browser Extensions)
* **Windows** (Windows 8 and higher)
Click the platform you wish to open. A wizard will open, prompting you for the following information:
Parameter | About
--- | ---
**Device Group** | select an existing Device Group for which you wish to open the Store
**Required** | select whether this configuration requires Accountability permissions to change
**Time length** | select the timeframe you wish this to apply
## Note about Android 7 and newer/ChromeOS Play Store access
Android 7 and newer devices, as well as ChromeOS devices, may require bypassed access to all of `google.com` for the Play Store to work properly. Obviously, this suspends content filtering for all of Google.
For this reason, there is a separate Access Policy Group to use: `Android 7 and up AppStore` -- Add the device group (for example `alldevices`) to this Policy to enable the Play Store for these devices.
# Close access to the Store
If you wish to **Close** the store access opened here, visit your Company Access Policy Dashboard and click the Actions menu on the relevant Access Policy line. Then click Details and `Delete`. Select `Delete Everywhere` to ensure it is turned off across your entire account (particularly if your account spans multiple DrawBridge sysytems).
# Important Notes
* As noted above, the Google Play Store needs to be opened to access the **Chrome Extensions** store on the **Chrome Desktop browser** (on all platforms).
* Because of backend services overlap, **YouTube may begin working if the Google Play Store is enabled**, even if the YouTube category is set to Block.
# Media Room
The Media Room enables the classification of videos hosted on public video hosting websites, such as YouTube.
For the Media Room to work, the YouTube and Vimeo category must be left at its default blocked setting on the access policy dashboard. * Manually setting the YouTube category to block will block the Media Room and setting the YouTube category to allow will bypass the Media Room
# Videos The Videos module displays a list view of all the videos the DrawBridge has classified. Click the title of a video in the list to view the video classification record. ### Video record view A video classification record has the following parameters: Parameter | About --- | --- **Title** | The title of the video **ID** | The unique hash identifier provided by the video platform (if available) **Duration** | The length of the video **Service** | The platform that is hosting the video **Size** | The resolution of the video, expressed in a pixel ratio **Channel** | The DrawBridge-classified Channel associated with the video, if any (see Channels, below) **Category** | The top-scoring Category for this video, determined by the DrawBridge content classifier **Rating** | The DrawBridge Classifier rating of the video, based on the top-scoring Category **Record header buttons:** * **Create** a new video classification record with the blue **+** Create Video button * **Edit** this video classification record with the green pencil Update Video button * **Delete** this video classification record with the red trashcan Delete Video button * Hamburger menu: * **Get Category review**: jumps to a support ticket form to request clasification by a human * **Video Views by User**: jump to **Reports: Media Views** module * **References to this video**: jump to **Content Filter: Media Room: Pages Linking to Media** * **Bookmark** this record with the ribbon bookmark button * Sync Menu (chain-link icon) * **Mark to Resync**: flag this record in the background to be included in the next sync run ##### Video Permissions Jump to the Permissions record that applies to this video (see Permissions section, below). Displays lists views of people records with membership in the Media Admin and Media Viewer permission groups. #### Informational tabs ##### Details The Details panel contains: * If the origin platform is supported: thumbnail of the video will be displayed with a `Play` button below it (if the video passed the classifier configuration to be allowed to play) * The Description of the video, fetched from the platform hosting this video * The Genre(s) of the video, determined by the DrawBridge classifier * The Tags associated with the video, fetched from the platform hosting this video ##### Classification A list view of any Category Classifications for this video ### Classify a new video 1. Click the **+** button (Tooltip: `Create Classified Media`) in the upper right corner of the list view (or use the same **+** button on a video record page) 2. Enter the direct URL of the video you wish to classify. Note that it must be a direct link, not a URL-shortened link. For YouTube, the link should start as follows `https://www.youtube.com/watch?v=`+ the unique hash of the video in question. # Channels Displays a list view of media channels that should be automatically polled and classified. Click the title of a channel to view the Channel record page ### Channel Record view A channel record has the following parameters: Parameter | About --- | --- **Source** | URL of the channel **Title** | Title of the channel **Last Updated** | Timestamp of the last check of the channel for new videos **Category** | Classifier category assigned to the channel by a Media Room administrator **Rating** | Classifier rating, based on the assigned Category, above **Record header buttons:** * **Add** a new channel to be classified with the blue **+** Create Channel button * **Edit** this channel record with the green pencil Update Channel button * **Delete** this channel record with the red trashcan Delete Channel button * Hamburger menu: * **Get Category review**: jumps to a support ticket form to request clasification by a human * **Channel Videos**: jump to list view of the videos contained in this channel * **Channel Permissions**: jump to a list view of the Permission Groups (with associated Company info) that may view/modify this Channel (see Permissions section, below) * **Bookmark** this record with the ribbon bookmark button * Sync Menu (chain-link icon) * **Sync Mode** (default is `2 Way - Push / Pull from Server`); click record sync information * **Push to Sync Publisher**: initiate a record update push from this DrawBridge to the Sync Server * **Pull from Sync Publisher**: initiate a record update pull to this DrawBridge from the Sync Server * **Mark to Resync**: flag this record in the background to be included in the next sync run #### `