3 Replies Latest reply: Jan 3, 2013 10:37 AM by Jon Scholten RSS

    Policy for multiple AD group user

    nmalonzo

      Hi All,

       

      We are currently implementing MWG 7.3 and we are encountering a problem.

       

      We have users that are member of multiple group. (e.g GROUP A, B, C)

      We have a policy where in if your are a member of a certain group, you have a specific rules for whitelisted URL and blocked categories (same set up per policy w/ specific group).

       

      Example:

       

      User A is member of GROUP A,B and C.

       

      Policy 1 - authentication.usergroup = "Group A" -> Allow all

      Policy 2 - authentication.usergroup = "Group B" -> Block Social Networking sites

      Policy 3 - authentication.usergroup = "Group C" -> Block all

       

      Note. policies are top to bottom within a parent ruleset criteria set = "Alway"

       

      Whats happening is Instead of User A authenticates to Policy 1 (Which it should, since policy 1 is in the top) User A goes straight to Policy 2.

       

      Should I add another rule to stop the cycle?

       

      I'm quite confuse please help me understand.

       

       

      Thanks in advance

      Nelson

        • 1. Re: Policy for multiple AD group user
          Jon Scholten

          Hi Nelson,

           

          There are various ways to accomplish this, see below links:

          https://community.mcafee.com/docs/DOC-3649

          https://community.mcafee.com/docs/DOC-2210

           

          Best,

          Jon

          • 2. Re: Policy for multiple AD group user
            nmalonzo

            Hi Jon,

             

            Thanks a lot it really helped.

             

            Another question..

             

            Is there a way to make the structure of the policy like a  "shopping cart" concept?

             

            The setup is, users are member of a certain group initially, to access a certain website users will have to request for internet connection access and once approved they will be added to another group to give access to the sites.

             

            how can I parallel this to MWG policy? is it possible to authenticate twice to be able to access the websites that are only available in another group policy which you are memberof aswell?

             

            Hope I did not confused you...

             

            Happy new year!

             

            Thanks,

            Nelson

            • 3. Re: Policy for multiple AD group user
              Jon Scholten

              Hi Nelson,

               

              Please let me know if I misinterpretted your request.

               

              The first sentence sounds like once thing:

              -"The setup is, users are member of a certain group initially, to access a certain website users will have to request for internet connection access and once approved they will be added to another group to give access to the sites."

              If the user is added to the other group, then they would be granted access to whatever sites that new group is able to access. There should be no action required on the part of the user except to request to be added to a new group.

               

              The second sentence:

              "how can I parallel this to MWG policy? is it possible to authenticate twice to be able to access the websites that are only available in another group policy which you are memberof aswell?"

              Sounds like you would like the user to "re-authenticate" as another user. Is this correct? Do you have users in your domain with multiple accounts? This sounds different from your first sentence.

               

              Best,

              Jon