topic Re: How does Identity awareness match user groups in General Topics

How does Identity awareness match user groups

peter_schumache — Fri, 22 May 2020 06:42:57 GMT

When I define a Identity Awareness access role with users --> specific users/groups and I define several AD groups there, how is the decision for the access rule been made. Must a specific user be member of just ONE of these groups or ALL of these groups?

Re: How does Identity awareness match user groups

Timothy_Hall — Fri, 22 May 2020 12:50:39 GMT

Just one group/user will cause a match on the "Users" tab of the Access Role, but the other two tabs (Network, Machines) must match as well. So within the context of a specific Access Role tab (Network, Users, Machines) it is an OR, but it is an AND between all three tabs of the Access Role to be considered a match.

Re: How does Identity awareness match user groups

peter_schumache — Mon, 25 May 2020 09:59:39 GMT

Our observations are the opposite way around.

If I define an access role with specific user groups and I put User Group A, B and C in there, then a user MUST be member of all 3 groups in order for the rule to match.

If I define an access role with just one user group A, then the user needs to be just member of group A in order for the rule to match.