5 Replies Latest reply on Nov 21, 2011 1:59 PM by Jon Scholten

    Using AD groups to create rule based access

      I would like to allow users to authenticate using the AD group Web users.(which I have done) and then Create rules on what they can access using additional groups. IE sales 

       

      I have done this now but I have to make Sales the authenticate group.   I would like for them to Authenticate with one group and then use other groups to create rule sets on....Is this possible?  How?

       

      I have considered removing the authorized users rule and allow everyone that authenticates against the domain pass into the filter.  Put the concern that I have with this is....If I do not have a rule to catch them and filter the access they will fall out the bottom with open access.

       

      Any information\assistance is appreciated.

      Thanks

       

      Message was edited by: imtrying on 11/18/11 3:29:13 PM CST
        • 1. Re: Using AD groups to create rule based access
          Jon Scholten

          This can be accomplished using the "Web Mapping" methodology outlined here: https://community.mcafee.com/docs/DOC-2210

           

          You can create policy "containers" or rulesets which apply to a particular group or whatever you want (the article talks about groups, but you could pick anything.

           

          I noticed you commented on the article, I attempted to clarify the advantage of using the method outlined in the article.

           

          ~Jon

          • 2. Re: Using AD groups to create rule based access

            Jon:

             

            Thanks for the information and I completely understand what you are doing here.  But doing it the way that you have described seems to add a step.  It appears that it would be possible to allow the users to authenticate to the proxy with one particular group, for me webusers, and then in the rule sets create individual rules for each user group that I would like to handle.  So, I would have a rule set that the Criteria would be Authentication.usergroups contain "sales" 

             

            So, webusers allows them to use the proxy but when it hits the rule set it would see if they are in the usergroups "sales"  and then allow them to enter the rule. 

             

            Am I missing something and being overly simplistic?

            • 3. Re: Using AD groups to create rule based access
              Jon Scholten

              The problem that the article solves is:

               

              -What if a user is not apart of "webusers"?

              -What if a user is apart of "webusers" and "execs"?

               

              This helps get a better understanding of how policy is assigned by structuring your rules with this method. You have one ruleset which assigns the "policy" as opposed to having every rule/ruleset determine the policy you should get.

               

              ~Jon

              • 4. Re: Using AD groups to create rule based access

                Jon:

                 

                Thanks again.  Yes this does help.  Let me ask, Where\how does the  default User-defined .policy get assigned?  I suspect that if they fall thru the rules and none has taken action then the User-Defined.policy would be placed in effect? 

                 

                Also, I do not understand what will happen if, like in your example, Doug is in both the Internet relaxed and the Internet strict(by mistake)?

                 

                Thanks again.  I find the help on this forum very helpful and accessible.  Thanks to you and the support team for answering questions in the forums.

                • 5. Re: Using AD groups to create rule based access
                  Jon Scholten

                  The article outlines both examples you are confused about, but let me clarify them further.

                   

                  As far as the default value for the "policy" property, this is talked about in the "catch-all". Where I explain the the "Policy" property is by default given the value "default".

                   

                  For Doug, he will get assigned policy depending on the order of the rules. If you want to be more "relaxed" you assign the relaxed policy first. If you want to be more "strict" then you assign the stricter policies first. Take a close look at the order of the rules.

                   

                  ~Jon