Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Design advice needed ! - role number limit vs. large specefic user config

SOLVED
Go to solution
NicolasBedard_
Occasional Contributor
‎11-17-2009 11:51:AM
‎11-17-2009 11:51:AM

Design advice needed ! - role number limit vs. large specefic user config

I would like to get help for a Design perspective.

We have 350 stores. Each stores has access to 3-4 computers. Since they are franchisee we need to block inter-store access, therefore one user cannot have access to another users computers remotely using the SSL-VPN.

At first I wanted to create 350 roles with role classification based on the username. Then create all ressources and assign them to their repective role. So we will end up with 350 x 3-4 computers defined + 350 roles + 350 x 3-4 computer in the WSAM config....and so on...

I would generate an XML and import it... I would not create all those devices by hands, i'm not crayzy.

Will that work ? I mean Is there a limit to the number of roles you can have on an IVS ?

What kind of design would YOU do in my place ?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
kenlars_
Super Contributor
‎11-20-2009 11:58:AM
‎11-20-2009 11:58:AM

Re: Design advice needed ! - role number limit vs. large specific user config

Is there any rhyme or reason to what servers a specific store can access? If so, you might be able to simplify things.

Otherwise, you could also do something like what I did for filters in Network Connect. I set up a single access policy for all users (there was, for the sake of this example, only one role). I used the "Details" capability of the the access policy to apply specific rules to specific users. So, everyone has routing to the entire internal network, but specific users are limited to a subnet of the servers by the details of the access policy.

If you could set up a small LDAP, you could create a simple, flexible solution. Authenticate the users locally, but get the authorization data from the LDAP. When you query the LDAP, retrieve a multivalued attribute which contains all hosts (either IPs or DNS names) that the user is allowed to access. Use the retrieved attribute in the set-up of the WSAM destinations for a single role. When each user logs on, the list would be fetched from the LDAP, and the user allowed to only those destinations. I've never done this for WSAM, but I have used something like this for both web and TS bookmarks, and I assume it would work for WSAM.

Ken

View solution in original post

0 Kudos
3 REPLIES 3
ruc_
Regular Contributor
‎11-17-2009 09:10:PM
‎11-17-2009 09:10:PM

Re: Design advice needed ! - role number limit vs. large specific user config

I don't know all the variables/requirements so I can't say for sure...however typically a role should contain all users that will access the same resources via the same access methods. So start with:

1. What set of resources will be accessed?

2. What access method best suits these resources and end user groups.

3. For each of these combinations create roles and use the respective access mechanism's ACLs to enforce access.

To answer your question: The 350 roles or several more should pose no major capacity issue for the SA device, however this design may pose manageability issues for the admin if it expands in the future or if you have to add more users to each role. If each of these franchisee already has any unique attributes on a AAA server like LDAP directory then you can use those attributes to map the user to specific roles.

0 Kudos
kenlars_
Super Contributor
‎11-20-2009 11:58:AM
‎11-20-2009 11:58:AM

Re: Design advice needed ! - role number limit vs. large specific user config

Is there any rhyme or reason to what servers a specific store can access? If so, you might be able to simplify things.

Otherwise, you could also do something like what I did for filters in Network Connect. I set up a single access policy for all users (there was, for the sake of this example, only one role). I used the "Details" capability of the the access policy to apply specific rules to specific users. So, everyone has routing to the entire internal network, but specific users are limited to a subnet of the servers by the details of the access policy.

If you could set up a small LDAP, you could create a simple, flexible solution. Authenticate the users locally, but get the authorization data from the LDAP. When you query the LDAP, retrieve a multivalued attribute which contains all hosts (either IPs or DNS names) that the user is allowed to access. Use the retrieved attribute in the set-up of the WSAM destinations for a single role. When each user logs on, the list would be fetched from the LDAP, and the user allowed to only those destinations. I've never done this for WSAM, but I have used something like this for both web and TS bookmarks, and I assume it would work for WSAM.

Ken

0 Kudos
NicolasBedard_
Occasional Contributor
‎11-20-2009 12:16:PM
‎11-20-2009 12:16:PM

Re: Design advice needed ! - role number limit vs. large specific user config

I was looking for a way to permit access by username for so long ! I think that will be the best way to do it ! thank !!!

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.