Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AlexandruD
Contributor

multiple acces roles

Hello all,

Does the acces role mechanism allow for the same AD authenticated user to be part of multiple access roles at the same time?
I would need this functionality, for example, if I would like to have two inline policy layers, each one matching by source one acces role of two, which are in turn, assigned based on AD group memebership such as:

CN=group1,CN=Users,DN=domain matched to acces_role_1
CN=group2,CN=Users,DN=domain matched to acces_role_2

These two acces roles objects might be configured to also include other matching criteria.

As some AD users would be assigned to both AD user groups, they will have access granted through both inline layers, while some, that are part of only one group, would have acces through just one. From my tests (R80.40), this is not possible, users are matched to one acces role, but perhaps I am missing some setting.

 

Thank you

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Yes, a user can be associated with one or more Access Roles.
You should see this in the relevant log entry when the user is acquired via IDC or whatever you've configured as your Identity Source (i.e. a "Log In" entry).  
What Access Role will apply will ultimately depend on the configured Access Policy.

0 Kudos
AlexandruD
Contributor

Yes, I noticed from further testing that a user can have multiple acces roles, but a connection generated by that user will match only the first inline layer within the access policy, having one of those access roles set as a possible source, not any other inline layers that are defined lower within the access policy and that match as source other access roles of the user.

The solution is to have a single inline layer for all access roles that users can have, and then differentiate access in rules per access roles within the same inline layer.

0 Kudos
PhoneBoy
Admin
Admin

While the rulebase matching logic changed in R8x, the fundamental rule of "first rule that matches" still applies.
Which means if a user has access roles A and B and a rule involving only access role A is listed first in the Access Policy, that is the rule that will ultimately apply.

0 Kudos
the_rock
Legend
Legend

Phoneboy is right, as always. Access roles would not change how the layer gets "hit". As it goes from top to bottom, left to right, if you have only one ordered layer, than inline layers inside of it, whatever layer gets hit, it will look for any child rule below that inline layer and once hit, then wont go any further. Now, IF, it hits specific inline layer, but does not hit any "child" rules, it would drop it on explicit clean up rule (bottom of that layer)

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events