cancel
Showing results for 
Search instead for 
Did you mean: 
imtrying
Level 10

Using AD groups to create rule based access

Jump to solution

I would like to allow users to authenticate using the AD group Web users.(which I have done) and then Create rules on what they can access using additional groups. IE sales 

I have done this now but I have to make Sales the authenticate group.   I would like for them to Authenticate with one group and then use other groups to create rule sets on....Is this possible?  How?

I have considered removing the authorized users rule and allow everyone that authenticates against the domain pass into the filter.  Put the concern that I have with this is....If I do not have a rule to catch them and filter the access they will fall out the bottom with open access.

Any information\assistance is appreciated.

Thanks

Message was edited by: imtrying on 11/18/11 3:29:13 PM CST
0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Using AD groups to create rule based access

Jump to solution

This can be accomplished using the "Web Mapping" methodology outlined here: https://community.mcafee.com/docs/DOC-2210

You can create policy "containers" or rulesets which apply to a particular group or whatever you want (the article talks about groups, but you could pick anything.

I noticed you commented on the article, I attempted to clarify the advantage of using the method outlined in the article.

~Jon

0 Kudos
5 Replies
McAfee Employee

Re: Using AD groups to create rule based access

Jump to solution

This can be accomplished using the "Web Mapping" methodology outlined here: https://community.mcafee.com/docs/DOC-2210

You can create policy "containers" or rulesets which apply to a particular group or whatever you want (the article talks about groups, but you could pick anything.

I noticed you commented on the article, I attempted to clarify the advantage of using the method outlined in the article.

~Jon

0 Kudos
imtrying
Level 10

Re: Using AD groups to create rule based access

Jump to solution

Jon:

Thanks for the information and I completely understand what you are doing here.  But doing it the way that you have described seems to add a step.  It appears that it would be possible to allow the users to authenticate to the proxy with one particular group, for me webusers, and then in the rule sets create individual rules for each user group that I would like to handle.  So, I would have a rule set that the Criteria would be Authentication.usergroups contain "sales" 

So, webusers allows them to use the proxy but when it hits the rule set it would see if they are in the usergroups "sales"  and then allow them to enter the rule. 

Am I missing something and being overly simplistic?

0 Kudos
McAfee Employee

Re: Using AD groups to create rule based access

Jump to solution

The problem that the article solves is:

-What if a user is not apart of "webusers"?

-What if a user is apart of "webusers" and "execs"?

This helps get a better understanding of how policy is assigned by structuring your rules with this method. You have one ruleset which assigns the "policy" as opposed to having every rule/ruleset determine the policy you should get.

~Jon

0 Kudos
imtrying
Level 10

Re: Using AD groups to create rule based access

Jump to solution

Jon:

Thanks again.  Yes this does help.  Let me ask, Where\how does the  default User-defined .policy get assigned?  I suspect that if they fall thru the rules and none has taken action then the User-Defined.policy would be placed in effect? 

Also, I do not understand what will happen if, like in your example, Doug is in both the Internet relaxed and the Internet strict(by mistake)?

Thanks again.  I find the help on this forum very helpful and accessible.  Thanks to you and the support team for answering questions in the forums.

0 Kudos
McAfee Employee

Re: Using AD groups to create rule based access

Jump to solution

The article outlines both examples you are confused about, but let me clarify them further.

As far as the default value for the "policy" property, this is talked about in the "catch-all". Where I explain the the "Policy" property is by default given the value "default".

For Doug, he will get assigned policy depending on the order of the rules. If you want to be more "relaxed" you assign the relaxed policy first. If you want to be more "strict" then you assign the stricter policies first. Take a close look at the order of the rules.

~Jon

0 Kudos