12-26-2011 09:09 PM - edited 03-10-2019 06:39 PM
Hi All,
I am stuck a place where i need to select mulitple users from identity group and multiple devices from multiple ndg. situation become worst when i hv two different level of access for the users which are in same ad group but have different access to different ndg/devices. for example user 1 to user 5 of ad group1 have access to ndg1 to ndg5 but user6 to user10 from ad group1 shud not have access to these devices but they should be able to access ndg6 to ndg10. and user1 to user5 should not access these ndg5 to ndg10.
i tried to achieve this with compound condition in which i m adding NDG with or and in same compound condition i m adding users with and but problem is that all users1 to users10 have access to devices....which i dont want....
can any one help in this.
12-26-2011 11:18 PM
It is hard to comment in detail in what you are trying to do or the results that you are seeing since do not have sufficient details.
However, a couple of suggestions I can make
- It looks like you have additional classifications on your users besides what is defined in AD. One option would be to have these classifications reflected in the AD group membership itelf. However, if this is not possible (and I am guessing that it is not) then can in fact use the internal user database to classify this information as follows
- Create Internal attribute called "UserAccessGrp" at System Administration > Configuration > Dictionaries > Identity > Internal Users. For the purposes of this discussion can use an integer type. Also define a "policy Conditrion Display Name" so that be referenced in the authorization policy
- Create internal user records for users 1 to 5 and set the "UserAccessGrp" to have a value 1. For users 6 to 10 set the "UserAccessGrp" to have a value 2
- Create an identity sequence:Users and Identity Stores > Identity Store Sequences. Select the "Password Based" option and Active Directory database under "Authentication and Attribute Retrieval Search List" and "Internal Users" under "Additional Attribute Retrieval Search List". Once created select this identity sequence as the result of the identity policy.
Once this is done you can now create compound conditions on the value of the "UserAccessGrp" of the "Internal Users' dictionary
Suggestion is to similarly group devices into additional device groups. Can add a new NDG hierarchy called "AccessGroup" (Network Resources > Network Device Group) and then define logical group 1, logical group 2 etc
Then final can define the authorization policy using two conditions
- UserAccessGrp
- NDG:Logical Group
and define rules
UserAccessGrp = 1;NDG:Logical Group = 1 then Permit Access
UserAccessGrp = 2;NDG:Logical Group = 2 then Permit Access
etc
Default rule: Deny Access
I realize there are a lot of details here and not sure how much experience you have with ACS5. However, hope it helps and can fit the use case
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: