cancel
Showing results for 
Search instead for 
Did you mean: 

Group to Access mapping

SOLVED
sjainssn_
Occasional Contributor

Group to Access mapping

I am trying to get groups mapped to what parts of the network they get access to. So I have several groups in LDAP. Membership of each group gives you access to certain networks. How do I implement this on IVE?

Example, say, I have four groups in LDAP - A, B, C and D. I have four networks within my enterprise - W, X, Y and Z. I have users Tom, Bill, Jane and Joe. And, membership of each group corresponds to access to a particular network. So:

Group A -> W network

Group B -> X network

Group C -> Y network

Group D -> Z network

Tom is a member of groups A and B. So Tom needs access to networks W and X.

Bill is a member of groups B and C. So Bill needs access to networks X and Y.

Jane is a member of all groups. So Jane needs access to all networks.

Joe is a member of only D. So Joe needs access to network Z.

In addition to this, all users need access to the Internet (via IVE, not split tunnel) and another network T that hosts common resources.

The tricky part is allowing access to the internet. The rest seems easy. In a realm, I can create a role for each group's membership and that role gets a policy allowing access to a certain group. So membership of Group A, assigns a role called A_Role and A_Role maps to a policy that allows access to "W" only. Same for B, C and D. So if you are member of multiple groups, you get multiple roles and they all add-up to give you access to corresponding networks. What throws everything in a spin is Internet access.

One thing to do is to create a policy that says "Allow access to all except when destination network is A,B,C or D". Then assign this policy to a role that maps to a "default" group to which all users belong. But I don't see any good way of doing this in IVE. So any help would be greatly appreciated.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
sjainssn_
Occasional Contributor

Re: Group to Access mapping

I am not sure you understood the situation. For one, there are no layer-7 resources that I am trying to control. All access control needs to be done for Layer-3 resources. Policies have to be defined such that all users can access a set of common resources (Internet and few RFC1918 block) and over that, depending on group membership, have access to additional RFC 1918 private networks. The solution is to create a "default" role that gets access to 31 non-RFC1918 supernets (aka Internet) and the common private nets. After that each additional restricted private net gets mapped to a role. Depending on group membership, with "Merge Roles" set, a user can get assigned multiple roles and hence access multiple exclusive networks.

If it helps anyone, here is the list of 31 non-RFC supernets (aka Internet) because IVE does not support the 'NOT' operator for destination nets.

1.0.0.0/5

8.0.0.0/7

11.0.0.0/8

12.0.0.0/6

16.0.0.0/4

32.0.0.0/3

64.0.0.0/2

128.0.0.0/3

160.0.0.0/5

168.0.0.0/6

172.0.0.0/12

172.32.0.0/11

172.64.0.0/10

172.128.0.0/9

173.0.0.0/8

174.0.0.0/7

176.0.0.0/4

192.0.0.0/9

192.128.0.0/11

192.160.0.0/13

192.169.0.0/16

192.170.0.0/15

192.172.0.0/14

192.176.0.0/12

192.192.0.0/10

193.0.0.0/8

194.0.0.0/7

196.0.0.0/6

200.0.0.0/5

208.0.0.0/4

224.0.0.0/3

View solution in original post

4 REPLIES 4
SonicBoom_
Regular Contributor

Re: Group to Access mapping

go to user roles and create a role for each group, like accounting, marketing, executive, etc.., make sure you make one for All users as a default group of drives that are allowed, this is usually Public and My Documents, then go to resource profiles/ files and create the shares, then, then go to User realms role mapping and assign the groups here for example, group is Public Directory Remote Users ---> assign Public Drive, so on and so forth

im going to be starting a big thread on mapping these based on a script in the next few minutes but this is what we are all pretty much using for now.

by the way if you have some restricted users you may need to move a rule above one with more rights and use the stop processing rules when this rule matches check box

sjainssn_
Occasional Contributor

Re: Group to Access mapping

I am not sure you understood the situation. For one, there are no layer-7 resources that I am trying to control. All access control needs to be done for Layer-3 resources. Policies have to be defined such that all users can access a set of common resources (Internet and few RFC1918 block) and over that, depending on group membership, have access to additional RFC 1918 private networks. The solution is to create a "default" role that gets access to 31 non-RFC1918 supernets (aka Internet) and the common private nets. After that each additional restricted private net gets mapped to a role. Depending on group membership, with "Merge Roles" set, a user can get assigned multiple roles and hence access multiple exclusive networks.

If it helps anyone, here is the list of 31 non-RFC supernets (aka Internet) because IVE does not support the 'NOT' operator for destination nets.

1.0.0.0/5

8.0.0.0/7

11.0.0.0/8

12.0.0.0/6

16.0.0.0/4

32.0.0.0/3

64.0.0.0/2

128.0.0.0/3

160.0.0.0/5

168.0.0.0/6

172.0.0.0/12

172.32.0.0/11

172.64.0.0/10

172.128.0.0/9

173.0.0.0/8

174.0.0.0/7

176.0.0.0/4

192.0.0.0/9

192.128.0.0/11

192.160.0.0/13

192.169.0.0/16

192.170.0.0/15

192.172.0.0/14

192.176.0.0/12

192.192.0.0/10

193.0.0.0/8

194.0.0.0/7

196.0.0.0/6

200.0.0.0/5

208.0.0.0/4

224.0.0.0/3

View solution in original post

cbarcellos_
Regular Contributor

Re: Group to Access mapping

Not to be a pessimist, but recently the 1.0.0.0/8 network was assigned and is in use now:

http://bgpmon.net/blog/?p=275

http://ws.arin.net/whois/?queryinput=1.0.0.0

I'm sure 1.1.1.1 and 1.2.3.4 IPs are getting quite a bit of ICMP traffic Smiley Happy

sjainssn_
Occasional Contributor

Re: Group to Access mapping

Wow! Those poor netadmins. Sad to think that they won't even have a chance when millions of hard-coded "ping 1.1.1.1 or ping 1.2.3.4" hit them Smiley Tongue