This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nagaraja
Explorer
‎2021-06-14 11:52 AM

Security ID based rules

R81 Enhancement:

  • Security ID (SID) support for Identity Awareness - Move users and groups to different LDAP Organizational Units without the need to modify the Access Role Policy.

We can enable SID on the gateway.

How to use create a policy for this ?

For Example:There are two OU's 'test.abc.com' and 'test1.abc.com'

test.abc.com OU has access to facebook as this is marketing unit.

test1.abc.com has access to financial sites.

User1 belongs to 'test.abc.com' and user2 belongs to 'test1.abc.com'

I have  created the access role for the user1 to allow facebook.

When I user moves from 'test.abc.com' to 'test1.abc.com', how user1 will have access to Financial sites as the access role is still matches to a policy for 'facebook'

Is there anything which I am missing ?

Is there any white paper released for this ?

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-06-14 12:56 PM

It affects how roles are matched.
If you defined a role based on test.abc.com then rename it to say test2.abc.com, the role will still match because of the SID.
If you move a user to a different group and that’s how you’ve defined the access role (by group), then the user will be associated with the new role(s) the same as before.
@Royi_Priov am I missing something?

0 Kudos
Peter_Thome
Participant
‎2022-02-09 08:57 AM
In response to PhoneBoy

Hello community, Any experience with this LDAP_SID feature in production environments?
The configuration does not look too mature to me. Any plans to implement this more resilient in the Configuration database?

KR, Peter 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events