This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
soni_kumari1
Participant
‎2019-02-20 08:41 AM

Identity awareness OU not getting update automatically.

Hello..

I have configured identity awareness for AD query for one of the customer and everything working fine ,but recently we observe that if AD administrator changing any user from one OU(organization unit) to other OU than in checkpoint access rule its not getting updated its shows two detail for same user, so users are not getting access as per given rule.

Kindly let me know how to update OU automatically.

0 Kudos
6 Replies
Mark_Mitchell
Advisor
‎2019-02-20 02:31 PM

Hi Soni,

I assume from your scenario you are using access roles and then adding the users from AD into the access roles? Which in turn you are using in your rules. 

If so I believe that the user is referenced by its DN within the access role.

So based on this you would need to modify the access role with the account once it's been moved. 

One way around this would be to use AD groups and then add the users to the AD groups, then use the group within the access role. It would still be susceptible to the same issue of moving groups, but I assume that activity would be far less than moving users. 

If I am way off with the above, if you could provide further information on your setup please? 

Regards

Mark

0 Kudos
soni_kumari1
Participant
‎2019-02-20 10:00 PM
In response to Mark_Mitchell

Hi Mark,

Thanks for update.

My concern is below .

For Ex:One user say name as "A" in "XYZ" OU so while creating access rule for user 'A' it will be with OU 'XYZ' and suppose user'A' is changing to different profile than AD administrator will change user 'A' OU ,so in this case we are facing the issue because in dashboard access rule it was with old OU and its not getting automatically update in access rule and Administrator is not ready to give the information of changing the OU. 

So please tell me know how to come out from this issue .

For reference I am adding the screenshot.

In above screenshot,Rao user was in HO_user OU ,but due to some reason AD administrator changed his OU than he was not getting access which he has before.so after doing lots of research I found OU has changed ,than I created a new access rule for same user than he started getting the access.

Regards,

Soni

0 Kudos
Mark_Mitchell
Advisor
‎2019-02-20 11:41 PM
In response to soni_kumari1

Hi Soni, 

Because the DN from within the access role cannot be updated automatically. When selecting the user for your access role, the system uses the DN to determine the account to use within the access role. To get around what you are seeing I believe you have 2 options going forward.:

  1. Use Active Directory groups within your access rule and then add the users to the AD groups. This will then be dynamic in terms of where the user resides within AD. 
  2. Develop an internal process by where if changes are made to Active Directory user objects DN's then a ticket is raised with your team to make the relevant changes within Check Point.

Hope this helps. 

Regards

Mark

0 Kudos
Alessandro_Marr
Advisor
‎2019-02-20 06:14 PM

Hello, I strongly recommend you changed your access rule to use AD groups...

soni_kumari1
Participant
‎2019-03-11 04:57 AM

Hi,

Can you please let me know where to make a group on AD or on Checkpoint ,In AD we cant do any changes .

0 Kudos
Vincent_Bacher
Leader Leader
Leader
‎2019-03-11 07:40 AM
In response to soni_kumari1

In CP you just have to create the AR object and use the group which has been defined in the AD, similar to single users.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events