Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
0
Helpful
3
Replies

Internal Users in Multiple Identity Groups?

bnidacoc
Level 1
Level 1

‎07-18-2011 06:37 AM - edited ‎03-10-2019 06:13 PM

In order to develop precise and flexible access control policies, I want to create policy based on group membership. However, the user’s “Identity Groups” selection dialogue box only lets me select just one group per user.

How can a user be a member of multiple ACS (version 5.2) Identity Groups?

Labels:
0 Helpful
3 Replies 3

jrabinow
Level 7
Level 7

‎07-18-2011 06:45 AM

Group member ship allows for classification of users and then definition of policies based on this classfication

In ACS 5.2 you can assign each user to an identity group. In addition, you can define additional user attributes that can be then be defined values for each user. These can be similarly used to classify users and define policies based on these values. Maybe these can help provide the solution for the use cases you are looking for

0 Helpful

bnidacoc
Level 1
Level 1
In response to jrabinow

‎07-18-2011 10:42 AM

"you can define additional user attributes that can be then be defined values for each user. These can be similarly used to classify users and define policies based on these values"

What are you referring to? 

We have different sets of Network Device groups (i.e. firewalls, routers, switches).  We want certain internal users to have varying degrees of access to these device types. Some users would have only non-enable access to switches. Some have non-enable to both switches and router, but no firewall access whatsoever.  Some enable access to switches, RO to routers, no access to Firewalls.  Some users would need enable access to routers and switches, but non-enable access to firewalls. Firewall auditors have access to only firewalls. The complication is where the user would have different roles from the other users. Not everyone in our organization is supposed to be an admin to every device type, but might need read-only to other types of devices.

This could be so simple and easy to configure if ACS would allow users to be members of multiple groups. The concept of users being members of multiple groups within access control systems within IT infrastructures has been around for about 4 decades now, why not in ACS?

0 Helpful

jrabinow
Level 7
Level 7
In response to bnidacoc

‎07-18-2011 12:37 PM

You can go to the following link to add user attributes:

System Administration > Configuration > Dictionaries > Identity > Internal Users

Select "Add Policy Condition" to define a condition name that can be used in policy

Once these attributes have been defined they can be defined for each user and then conditions created based on these values

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents