beautypg.com

Idm configuration model, Configuration process review, Configuration process review -2 – HP Identity Driven Manager Software Series User Manual

Page 56: Idm configuration model -2

background image

3-2

Using Identity Driven Manager
IDM Configuration Model

IDM Configuration Model

As described in the IDM model on page 2-5, everything relates to the top level,
or Realm. Each User in the Realm belongs to an Access Policy Group (APG).
The APG has an Access Policy defined for it that governs the access rights that
are applied to its Users as they enter the network.

The Access Policy is defined using a set of Access Rules. These rules take four
inputs:

Location (where is the user accessing the network from?)

Time (what time is the user accessing the network?)

System (from what system is the user accessing the network?)

Using these input parameters, IDM evaluates each of the rules. When a
matching rule is found, then the access rights (called an Access Profile)
associated with that rule are applied to the user. The Access Profile defines
access provided to the network once the user is authenticated, including:

VLAN—what VLANs the user can access.

QoS—"Quality of Service," from lowest to highest.

Rate-limits—bandwidth that is available for the user.

Network Resources—resources the user can access, by IP address
and/or protocol. These resources must be defined, similarly to the
Locations and Times used in the access rules.

Thus, based on the rules defined in the APG, the user gets the appropriate level
of access to the network.

In summary, for identity driven management each user in a Realm belongs to
one Access Policy Group. The Access Policy Group defines the rules that are
evaluated to determine the access policies that are applied at the switch when
the user connects to the network.

Configuration Process Review

Assuming that you opted to let IDM run long enough to discover the Realm,
users, and RADIUS server, your configuration process will be:

1.

Define "locations" (optional) from which users access the network. The
location may relate to port-based VLANS, or to all ports on a switch.

2.

Define "times" (optional) at which users will be allowed or denied access.
This can be by day, week or even hour.

See also other documents in the category HP Software: