beautypg.com

HP Identity Driven Manager Software Series User Manual

Page 108

background image

3-44

Using Identity Driven Manager
Defining Access Policy Groups

Parameters for Access Rules are described in the following table.

6. Repeat the above process for each rule you want to apply to the APG.

7. The Access rules are evaluated in the order (priority) they are listed in the Access

Rules table. Use Move Up or Move Down to arrange the rules in the order you
want them to be evaluated. IDM checks each rule in the list until a match on all
input parameters is found, then applies the corresponding access profile to the
user.

For example, if you want to allow a user to login in from any system during the
work week (Mon. - Fri.), but you want to deny access to users on the weekend,
you would:

Create a Time for the weekend,

Create an Access Profile to be applied during weekdays, "Default"

Define two rules for the APG, similar to the following:

Location Time System

Access Profile

ANY

weekend

ANY REJECT

ANY

weekday

ANY

Default

When the user is authenticated, IDM checks the Access Policies in the order listed.
If it is Saturday or Sunday, the user’s access is denied. On any other day, the user
is allowed on the network. If the order were reversed, IDM would never read the
second rule because the first rule would provide a match every day of the week.

Table 3-8.

Access Rule parameters

Field/Section

Lists...

Location

Locations you created by name, and the ANY option.
If you select ANY and the access profile for the rule points to a VLAN,
ensure that the VLAN is configured on every switch to which users in
this access policy group will be connecting.

Time

Times you created by name, and the ANY option.

System

Systems from which the user can log in.
ANY allows user to login in on any system.
OWN restricts users to systems defined for that user. See

“Configuring User Systems” on page

3-77 for details.

WLAN

WLANs in the network, and an ANY option. If PCM Mobility Manager
is not installed the list is empty, but you can type in the WLAN.

Device Type Group

You can select Device Type Group from

Device Type Group

field. The

default is ANY option.

End Point Integrity

If selected in IDM Preferences, information described in “Using IDM
with Endpoint Integrity Systems” on page

3-45.

Access Profile

Access Profiles you created by name, the Default Access Profile, and
a REJECT option. Select REJECT if the rule will prohibit a user from
logging in.

See also other documents in the category HP Software: