Using identity driven manager, Understanding the idm configuration model, 3 using identity driven manager – HP Identity Driven Manager Software Series User Manual
Page 65
3
Using Identity Driven Manager
Understanding the IDM Configuration
Model
As described in the IDM model on page 2-6, everything relates to the top level, or
Domain. Each User in the Domain belongs to an Access Policy Group (APG). The
APG has an Access Policy defined for it that governs the access rights that are applied
to its Users as they enter the network.
The Access Policy is defined using a set of Access Rules. These rules take four inputs:
•
Location (from what location where is the user accessing the network)
•
Time (what time is the user accessing the network)
•
System (from what system is the user accessing the network)
•
Device type group
•
Endpoint Integrity
Using these input parameters, IDM evaluates each of the rules. When a matching rule
is found, then the access rights (called an Access Profile) associated with that rule
are applied to the user. The Access Profile defines access provided to the network
once the user is authenticated, including:
•
VLAN—what VLANs the user can access
•
QoS—Quality of Service, from lowest to highest
•
Rate-limits—bandwidth that is available for the user
•
Network Resources—resources the user can access, by IP address and/or
protocol. These resources must be defined, similarly to the Locations and
Times used in the access rules
Thus, based on the rules defined in the APG, the user gets the appropriate level of
access to the network.
In summary, for identity driven management, each user in a Domain belongs to one
Access Policy Group. The Access Policy Group defines the rules that are evaluated
to determine the access policies that are applied at the switch when the user connects
to the network.