03-09-2015 08:34 AM
Hello,
I am curious about everyone else's experience with access policies being maintained by groups, and some users belonging to multiple groups and multiple access policies. Example:
John Doe belongs to group1 and group2
Order | |
1 | AccessPolicyA |
Selected groups: group1 | |
Blocks access to URL xyz.com | |
2 | AccessPolicyB |
Selected groups: group2 | |
Allows access to URL xyz.com |
Will the WSA check all access policies that John Doe authenticates to? Or will it stop and use the first access policy that he hits, in this example AccessPolicyA?
Solved! Go to Solution.
03-09-2015 11:09 AM
Hi Khaim,
WSA uses top-down concept to evaluate access policies so if Access Policy A and B Belongs to the same identity and access policy A is listed above access policy B so WSA will use Access Policy A to evaluate the request.
Best Regards,
Alessandro
03-09-2015 11:09 AM
Hi Khaim,
WSA uses top-down concept to evaluate access policies so if Access Policy A and B Belongs to the same identity and access policy A is listed above access policy B so WSA will use Access Policy A to evaluate the request.
Best Regards,
Alessandro
04-16-2015 05:53 AM
This seems like it could become a maintenance nightmare. We have the same issue that Khaim is talking about. How do people get around this? We're currently in the evaluation process and don't want to get into using a product that becomes unmanageable.
Thanks.
04-16-2015 10:46 AM
It is a bit of a hassle, but we had to reorder our access policies thinking in a top down approach as well.
Also you can create AD global security groups specifically for Internet access if you'd like. Prefix it with something that makes sense so they are all together in AD. We use IG- (IG stands for Internet Group). So we have AD groups called IG-RestrictedInternet or IG-SocialMedia.
If your in Restricted intenret, your totally restricted except for a few sites we allow. If your not in a group you have general internet access except for time wasting stuff like facebook. If your in IG-SocialMedia then you have all the general internet access PLUS social media like facebook, linkedin, etc... This is usually given to marketing or HR people.
So while annoying, there are ways to think about how to handle this. I can see your point say you are a Manager of the marketing department. Well you might be in an AD group for marketing as well as an AD group for management. In this case our Management policy would come above the marketing policy. So if your not doing specific groups then you can just order them by employee position hierarchy with usually management / hr on top.
04-16-2015 11:07 AM
I guess part of my issue is that when you set up the access policies you have to specify actions for each category. If WSA also was additive that would help. In my case we have users from multiple departments that have access to say Facebook but some of them also may have access to say web mail so if they match the Facebook policy first 1) the users that also are allowed access to web mail won't have access to web mail because the policy denies it or 2) everyone will have access that matches this policy because I had to allow access.
I haven't found a way to get around this in the WSA configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide