Re: Grouping multiple Access Roles into a single o...

jennyado

Hi all,

We currently have an environment integrated with Microsoft Entra ID and Check Point, using Identity Awareness with Access Roles.

At the moment, our policy is structured as follows:

We use an inline layer rule.
In the parent rule, we define the VPN C2S network (IP pool) as the source.
In the child rules, we define multiple Access Roles as the source.
Each Access Role maps to Entra ID groups using the naming convention EXT_ID_<group_name>, as described in the admin guide.

However, although this setup is currently allowing traffic, it is effectively working due to the cleanup rule in the inline layer being set to Accept, which we understand is not a correct or secure design.

However, we are evaluating a policy redesign. The idea is to move toward a cleaner rule structure where each Access Role would have its own rule.

That said, a question came up internally:

👉 Is it possible to create a group of Access Roles (similar to a Network Group), so that multiple Access Roles can be combined into a single object and used in one rule?

Has anyone implemented something similar, or is there a recommended workaround or best practice for this scenario?

Thanks in advance for your insights!

emmap

I don't know that we can group access roles, but traditionally we can put multiple AD groups into one Access role. That wouldn't work with your Entra setup though due to how the naming scheme works to use them.

What I would suggest though is to get in touch with your local sales office to see if Infinity Identity will work for you, as it more properly integrates with Entra ID and does away with the clunky 'ext_id_' groups. There would be some things to work out with how it integrates with your remote access solution but it would give you the option to be adding multiple Entra groups into your Access Roles.

jennyado

I was reviewing this video, and my idea is to add multiple User Groups to the same Access Role.

the_rock

You should be able to do that. If you wish to group multiple access roles, thats possible too.

Best,
Andy
"Have a great day and if its not, change it"

jennyado

My main concern is that the User Group objects with the naming convention EXT_ID_<Azure group name> may not be properly identified.

While reviewing the documentation and the video, I understand that these User Groups are associated with an Access Role. However, I am unsure whether a separate Access Role is required for each User Group, or if multiple User Groups can be grouped within a single Access Role.

the_rock

What is the video you mentioned? I dont see any link for it.

Best,
Andy
"Have a great day and if its not, change it"

jennyado

This one
https://youtu.be/172xGxqQvhI?list=PLBfjYlNj4w1vJJBCdwJCAta4kvxI0t0Fb&t=240

the_rock

Im fairly sure name would need to match and you would be able to add mulsiple groups in a single access role.

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

Grouping multiple Access Roles into a single object