beautypg.com

HP Identity Driven Manager Software Series User Manual

Page 102

background image

3-38

Using Identity Driven Manager
Defining Access Policy Groups

6.

Repeat the process for each rule you want to apply to the APG.

7.

The Access rules are evaluated in the order (priority) they are listed in the
Access Rules table. Use

Move Up or Move Down buttons to arrange the

rules in the order you want them to be evaluated. IDM checks each rule
in the list until a match on all input parameters is found, then applies the
corresponding access profile to the user.

For example, if you want to allow a user to login in from any system during
the work week (Mon. - Fri.), but you want to deny access to users on the
weekend, you would:

Create a Time for the weekend,

Create an Access Profile to be applied during weekdays, "Default"

Define two rules for the APG, similar to the following:

Location Time System Access Profile

ANY

weekend

ANY REJECT

ANY

weekday

ANY

Default

When the user is authenticated, IDM checks the Access Policies in the
order listed. If it is Saturday or Sunday, the user’s access is denied. On any
other day, the user is allowed on the network. If the order were reversed,
IDM would never read the second rule because the first rule would provide
a match every day of the week.

8.

Click

OK to save the Access Policy Group and close the window.

Location

Lists the Locations you created by name, and the "ANY" option.
If you select ANY and the access profile for the rule points to a
VLAN, ensure that the VLAN is configured on every switch to
which users in this access policy group will be connecting

Time

Lists the Times you created by name, and the ANY option.

System

Systems from which the user can log in.

ANY allows user to login in on any system.
OWN restricts users to systems defined for that user. See
“Configuring User Systems” on page 3-54 for detail.

WLANS

Lists the WLANs in the network, and an "ANY" option. Note that
this works only if ProCurve Mobility Manager is installed and the
Enhanced Wireless Support option is selected in the
Preferences for Identity Management.

Access
Profile

Lists the Access Profiles you created by name, the Default
Access Profile, and a REJECT option. Select REJECT if the rule
will prohibit a user from logging in.

This manual is related to the following products: