One undocumented feature of CloudAccess is support for dynamic groups in policy management. This provides the administrator ability to map policies to essentially any LDAP query. In this example, we will configure a dynamic group and use it to restrict an AppMark to employees located in India.

Creating the dynamic group

Creating dynamic group objects in eDirectory is fairly straightforward. Log into iManager and use the group menu to create a new group. Make sure to use a context in which you are authorized to create and modify objects. One way to do this is to create a new context for CloudAccess groups and give the CloudAccess administrator ownership of the group. Enable the dynamic group option and disable all other options in the group creation dialog.

Once the group is created, modify it to include your search filter. After you apply the settings, you should be able to see the members of the group.

Dynamic Group Configuration

Dynamic Group Configuration

Note for Active Directory – While AD does not inherently support dynamic security groups, it is possible to achieve a similar effect through the query and dmod commands. More information on this can be found at http://social.technet.microsoft.com/Forums/windowsserver/en-US/ea39e821-50ba-494e-b608-df879a0e28ca/access-permission-ad-sites-level?forum=winserverDS.

Mapping the policy

Aside from possibly adding a new search context, the policy mapping should work just as it would with static groups. In our example, we took the India Payroll AppMark and unchecked the public option. After applying the change, we mapped the AppMark to the newly created dynamic group. After this, the AppMark will only be visible to employees located in India.

CloudAccess will query this group for changes every minute, so changes in the group will quickly be reflected in the policy.

policy-configuration

Mapping the India Payroll AppMark to the “co-India” Dynamic Group

 

role-configuration

Viewing the Configured Policy Mapping

 

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Matthew Ehle
Mar 14, 2014
11:45 am
Reads:
1,880
Score:
5