Need guidance in configuring the SA6500 host checker to meet the following requirement.
we have two kinds of users employee and contractors for them the roles are mapped with active directory and resources assigned to the roles.
We want implement host checker, for employees AV,patches matches he will get mapped to the respective active directory mapped role, if host checker fails map to a generic role with limited access.
similarly for the contractors. I have implemented custom expression and map to particular local role, how do i choose the active directory mapped role.
pls provide your advice
If I understand right, you will end up with four roles:
-Employee full access
- Employee restricted access
-Contractor full access
-Contractor restricted access.
To achieve this, in your realm, map contractors to both contractor roles, and employees to both employee roles, then on the two full access roles add the restriction that host checker is required.
If they pass hostchecker they will get both restricted and full access, if they fail they will only get their restricted access.
Because no matter what they will get restricted access, don't duplicate the resources between the restricted and full access roles.
In addition to the solution mentioned by @ srigelsford, you can do the following in your role mapping role on the realm:
create the needed policies on the left and assign ALL roles on the right. Then on the roles that should pass Host Checker to receive them, enable Host Checker to be required (Users>User Roles>roleName>General>Restrictions>Host Checker).
This has the advantage of simplifying your configuration to allow access based on one role mapping rule on the realm but still only provide trusted/full access to trusted computers.
In all instances you will need to have Host Checker evaluate only at the realm.