topic Re: Security ID based rules in Firewall and Security Management

Security ID based rules

Nagaraja — Mon, 14 Jun 2021 18:52:24 GMT

R81 Enhancement:

Security ID (SID) support for Identity Awareness - Move users and groups to different LDAP Organizational Units without the need to modify the Access Role Policy.

We can enable SID on the gateway.

How to use create a policy for this ?

For Example:There are two OU's 'test.abc.com' and 'test1.abc.com'

test.abc.com OU has access to facebook as this is marketing unit.

test1.abc.com has access to financial sites.

User1 belongs to 'test.abc.com' and user2 belongs to 'test1.abc.com'

I have created the access role for the user1 to allow facebook.

When I user moves from 'test.abc.com' to 'test1.abc.com', how user1 will have access to Financial sites as the access role is still matches to a policy for 'facebook'

Is there anything which I am missing ?

Is there any white paper released for this ?

Re: Security ID based rules

PhoneBoy — Mon, 14 Jun 2021 19:56:59 GMT

It affects how roles are matched.
If you defined a role based on test.abc.com then rename it to say test2.abc.com, the role will still match because of the SID.
If you move a user to a different group and that’s how you’ve defined the access role (by group), then the user will be associated with the new role(s) the same as before.
@Royi_Priov am I missing something?

Re: Security ID based rules

Peter_Thome — Wed, 09 Feb 2022 16:57:34 GMT

Hello community, Any experience with this LDAP_SID feature in production environments?
The configuration does not look too mature to me. Any plans to implement this more resilient in the Configuration database?

KR, Peter