All proxy and firewall rules are stored in profiles. Profile is a simple set of rules. Profiles can be assigned to users, groups of users or roles of users. At the moment of creation each user, group of users, role of user gets its personal profile is assigned to it. Personal rules are added into these profiles.
When a new user is created a role is associated with him and the profile of this role will apply to this user. Any number of separately created profiles besides the personal profile can be assigned to user or group of users. So, a user can have: 1) personal profile; 2) profile of assigned role; 3) separately added profiles. A group of users can have: 1) personal profile; 2) separately added profiles.
The priority of profiles when analyzing traffic for users is as follows:
In each profile the rules are checked in the following order:
If the permitting or blocking rule matches, then checking of all remaining rules of current and subsequent profiles ends at this point, except for the rules of the content filter and DLP rules of the current profile. If the skipping rule matches, then the check of ALL subsequent rules in the current profile is skipped and the rule checking process proceeds to the next profile.