cancel
Showing results for 
Search instead for 
Did you mean: 
nmalonzo
Level 7

Policy for multiple AD group user

Hi All,

We are currently implementing MWG 7.3 and we are encountering a problem.

We have users that are member of multiple group. (e.g GROUP A, B, C)

We have a policy where in if your are a member of a certain group, you have a specific rules for whitelisted URL and blocked categories (same set up per policy w/ specific group).

Example:

User A is member of GROUP A,B and C.

Policy 1 - authentication.usergroup = "Group A" -> Allow all

Policy 2 - authentication.usergroup = "Group B" -> Block Social Networking sites

Policy 3 - authentication.usergroup = "Group C" -> Block all

Note. policies are top to bottom within a parent ruleset criteria set = "Alway"

Whats happening is Instead of User A authenticates to Policy 1 (Which it should, since policy 1 is in the top) User A goes straight to Policy 2.

Should I add another rule to stop the cycle?

I'm quite confuse please help me understand.

Thanks in advance

Nelson

0 Kudos
3 Replies
McAfee Employee

Re: Policy for multiple AD group user

Hi Nelson,

There are various ways to accomplish this, see below links:

https://community.mcafee.com/docs/DOC-3649

https://community.mcafee.com/docs/DOC-2210

Best,

Jon

0 Kudos
nmalonzo
Level 7

Re: Policy for multiple AD group user

Hi Jon,

Thanks a lot it really helped.

Another question..

Is there a way to make the structure of the policy like a  "shopping cart" concept?

The setup is, users are member of a certain group initially, to access a certain website users will have to request for internet connection access and once approved they will be added to another group to give access to the sites.

how can I parallel this to MWG policy? is it possible to authenticate twice to be able to access the websites that are only available in another group policy which you are memberof aswell?

Hope I did not confused you...

Happy new year!

Thanks,

Nelson

0 Kudos
McAfee Employee

Re: Policy for multiple AD group user

Hi Nelson,

Please let me know if I misinterpretted your request.

The first sentence sounds like once thing:

-"The setup is, users are member of a certain group initially, to access a certain website users will have to request for internet connection access and once approved they will be added to another group to give access to the sites."

If the user is added to the other group, then they would be granted access to whatever sites that new group is able to access. There should be no action required on the part of the user except to request to be added to a new group.

The second sentence:

"how can I parallel this to MWG policy? is it possible to authenticate twice to be able to access the websites that are only available in another group policy which you are memberof aswell?"

Sounds like you would like the user to "re-authenticate" as another user. Is this correct? Do you have users in your domain with multiple accounts? This sounds different from your first sentence.

Best,

Jon

0 Kudos