i have two roles; users and quarantine, there is a host checker policy assigned to the users role.
users whom didnt comply to this policy have to be assigned to the quarantine role.
i configured the following:
- created the two roles.
- configured the role mapping for the locally configured users to be assigned to the users role, and checked the stop roles matching check box.
- configured the role mapping for all users (*), to be assigned to the quarantine role and loacte it below the users role.
- enabled the dynamic policy evaluation in the Roles Realm.
the problems are:
1- users whom didnt comply didnt assign to the qurantine role. i unchecked the stop role matching in the users Role, then the not complied users assigned to the quarantine role (is this configuration right?)
2- after i did the above, the users whom assigned to the quarantine Role (due to the not complied policy) and fixed their problems, didnt reassigned to the users role, why? although i configured the dynamic policy evaluation!!
Since you have not checked "Stop processing rules when this rule matches", multiple roles you would have mapped to.
Instead of user name based role mapping, consider using custom expressions based rules using "hostCheckerPolicy"
do you have an example or some documnets about this?
can i use the custom expressions to match both the username and the hostchecker policy?
also what about the dynamic policy evaluation, it didnt work using the above settings, do you have any comments?
Yes, You can use the custom expressions to match both the username and the hostchecker policy using custom expressions.
Custom expressions usage is documented in UAC admin guide under host checker section, refer page#408, 432 , please
aslo refer Writing Custom Expressions section under Cahpter 25 in UAC admin guide.
Dynamic policy evaluation should work, kindly check the interavl time configured, also ensure that you have enabled Refresh roles option
under Dynamic policy evaluation.
Also ensure that "Perform check every X minutes" field is enabled with appropriate time value under Authentication > Endpoint Security > Host Checker.
Please refer Specifying General Host Checker Options in admin guide page 43
Please revert for any assistance.
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!
so what i understood from you, that for the hostchecker policies to be considered in roles assignments, the custome expressions have to be configured in the role mapping roles?
also i want to check the "stop processing roles when this role matches" option, so i have to configure the custom expressions in the role mapping, else the roles mapping will be based on the users authentication and will not consider the host checker policy, is this right?
IC Series maps user to one or more user roles and pushes policies enforces role restrictions, determines valid user role for users who meet the requirements of role restrictions including host checker restrictions configure for each role.
IC merges the valid roles for the user, if the IC is not configured to merge roles, then IC assigns the user to the first role to which the user has been mapped.
Since you have been mapped to multiple roles, dynamic policy evaluation would not have taken into effect.
Yes, your understanding is correct, better way to map user roles is to use custom expressions with Hostcheckpolicy.
And for your use-case, you can have one role-mapping-rule based on custom-expressions and stop processing if machine meets host-check-policy(say full access role). And other default, propably based on user-name(say quarantine role)