beautypg.com

Using identity driven manager, Understanding the idm configuration model, 3 using identity driven manager – HP Identity Driven Manager Software Series User Manual

Page 65

background image

3

Using Identity Driven Manager

Understanding the IDM Configuration

Model

As described in the IDM model on page 2-6, everything relates to the top level, or
Domain. Each User in the Domain belongs to an Access Policy Group (APG). The
APG has an Access Policy defined for it that governs the access rights that are applied
to its Users as they enter the network.

The Access Policy is defined using a set of Access Rules. These rules take four inputs:

Location (from what location where is the user accessing the network)

Time (what time is the user accessing the network)

System (from what system is the user accessing the network)

Device type group

Endpoint Integrity

Using these input parameters, IDM evaluates each of the rules. When a matching rule
is found, then the access rights (called an Access Profile) associated with that rule
are applied to the user. The Access Profile defines access provided to the network
once the user is authenticated, including:

VLAN—what VLANs the user can access

QoS—Quality of Service, from lowest to highest

Rate-limits—bandwidth that is available for the user

Network Resources—resources the user can access, by IP address and/or
protocol. These resources must be defined, similarly to the Locations and
Times used in the access rules

Thus, based on the rules defined in the APG, the user gets the appropriate level of
access to the network.

In summary, for identity driven management, each user in a Domain belongs to one
Access Policy Group. The Access Policy Group defines the rules that are evaluated
to determine the access policies that are applied at the switch when the user connects
to the network.