This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Advisor
‎2026-03-17 05:34 PM

Grouping multiple Access Roles into a single object

Hi all,

We currently have an environment integrated with Microsoft Entra ID and Check Point, using Identity Awareness with Access Roles.

At the moment, our policy is structured as follows:

  • We use an inline layer rule.

  • In the parent rule, we define the VPN C2S network (IP pool) as the source.

  • In the child rules, we define multiple Access Roles as the source.

  • Each Access Role maps to Entra ID groups using the naming convention EXT_ID_<group_name>, as described in the admin guide.

However, although this setup is currently allowing traffic, it is effectively working due to the cleanup rule in the inline layer being set to Accept, which we understand is not a correct or secure design.

However, we are evaluating a policy redesign. The idea is to move toward a cleaner rule structure where each Access Role would have its own rule.

That said, a question came up internally:

👉 Is it possible to create a group of Access Roles (similar to a Network Group), so that multiple Access Roles can be combined into a single object and used in one rule?

Has anyone implemented something similar, or is there a recommended workaround or best practice for this scenario?

Thanks in advance for your insights!

Labels
0 Kudos
7 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-17 05:44 PM

I don't know that we can group access roles, but traditionally we can put multiple AD groups into one Access role. That wouldn't work with your Entra setup though due to how the naming scheme works to use them. 

What I would suggest though is to get in touch with your local sales office to see if Infinity Identity will work for you, as it more properly integrates with Entra ID and does away with the clunky 'ext_id_' groups. There would be some things to work out with how it integrates with your remote access solution but it would give you the option to be adding multiple Entra groups into your Access Roles. 

jennyado
Advisor
‎2026-03-20 08:59 AM
In response to emmap

I was reviewing this video, and my idea is to add multiple User Groups to the same Access Role.

 

azure_groups.png

 
 
 
 
 
 
 
 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-20 11:33 AM
In response to jennyado

You should be able to do that. If you wish to group multiple access roles, thats possible too.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
jennyado
Advisor
‎2026-03-20 12:14 PM
In response to the_rock

My main concern is that the User Group objects with the naming convention EXT_ID_<Azure group name> may not be properly identified.

While reviewing the documentation and the video, I understand that these User Groups are associated with an Access Role. However, I am unsure whether a separate Access Role is required for each User Group, or if multiple User Groups can be grouped within a single Access Role.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-20 12:22 PM
In response to jennyado

What is the video you mentioned? I dont see any link for it.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
jennyado
Advisor
‎2026-03-20 12:27 PM
In response to the_rock

This one
https://youtu.be/172xGxqQvhI?list=PLBfjYlNj4w1vJJBCdwJCAta4kvxI0t0Fb&t=240

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-20 12:33 PM
In response to jennyado

Im fairly sure name would need to match and you would be able to add mulsiple groups in a single access role.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Thu 07 May 2026 @ 01:30 PM (AEST)

    CheckMates Live Sydney
    In-Person

    Thu 07 May 2026 @ 11:30 AM (CDT)

    Nashville: Humans & AI: A Real Conversation
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events