This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AlexandruD
Contributor
‎2023-05-23 01:22 AM

multiple acces roles

Hello all,

Does the acces role mechanism allow for the same AD authenticated user to be part of multiple access roles at the same time?
I would need this functionality, for example, if I would like to have two inline policy layers, each one matching by source one acces role of two, which are in turn, assigned based on AD group memebership such as:

CN=group1,CN=Users,DN=domain matched to acces_role_1
CN=group2,CN=Users,DN=domain matched to acces_role_2

These two acces roles objects might be configured to also include other matching criteria.

As some AD users would be assigned to both AD user groups, they will have access granted through both inline layers, while some, that are part of only one group, would have acces through just one. From my tests (R80.40), this is not possible, users are matched to one acces role, but perhaps I am missing some setting.

 

Thank you

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-05-23 11:57 AM

Yes, a user can be associated with one or more Access Roles.
You should see this in the relevant log entry when the user is acquired via IDC or whatever you've configured as your Identity Source (i.e. a "Log In" entry).  
What Access Role will apply will ultimately depend on the configured Access Policy.

0 Kudos
AlexandruD
Contributor
‎2023-06-07 05:37 AM
In response to PhoneBoy

Yes, I noticed from further testing that a user can have multiple acces roles, but a connection generated by that user will match only the first inline layer within the access policy, having one of those access roles set as a possible source, not any other inline layers that are defined lower within the access policy and that match as source other access roles of the user.

The solution is to have a single inline layer for all access roles that users can have, and then differentiate access in rules per access roles within the same inline layer.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-07 09:10 AM
In response to AlexandruD

While the rulebase matching logic changed in R8x, the fundamental rule of "first rule that matches" still applies.
Which means if a user has access roles A and B and a rule involving only access role A is listed first in the Access Policy, that is the rule that will ultimately apply.

0 Kudos
the_rock
Legend
Legend
‎2023-06-07 09:28 AM
In response to AlexandruD

Phoneboy is right, as always. Access roles would not change how the layer gets "hit". As it goes from top to bottom, left to right, if you have only one ordered layer, than inline layers inside of it, whatever layer gets hit, it will look for any child rule below that inline layer and once hit, then wont go any further. Now, IF, it hits specific inline layer, but does not hit any "child" rules, it would drop it on explicit clean up rule (bottom of that layer)

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events