Follow

Configure Endpoint Advanced Access Policy on Switchboard

Applies to Platform: UTM 5.1

Background

This article illustrates how to configure the Endpoint advanced access policy on the switchboard module.

The access policy is an optional configuration that allows to set specific customs views on the endpoint's application for every user in the system.

Requisites

  • Switchboard module installed and configured with the last version of Endian OS or having an account on Connect Switchboard cloud
  • at least one Gateway with one Endpoint
  • at least one user with "Manage Device" permission

Warning!

In case the Advanced Access Policies are used for at leas one user, must be used for all the user that can access to the gateway. All of them must be configured. At the moment the user/device groups are not supported in the access policies rules, so the rules must specify the users.

Configuration

Considering a Switchboard with the following configuration:

  • a Gateway called gateway-milano-01
    • three Endpoints called linux, web_portal, windows
  • five user that have access to the gateway and the endpoints

Screenshot_at_2018-11-06_09-37-05.png

Go in the switchboard Device page and edit the Gateway by clicking on the pencil icon ().

Screenshot_at_2018-11-06_09-38-29.png

Navigate to the Permissions tab and set the user you want to allow to use the endpoint application as "regular user" or "manager" of the Gateway.

After that we can now specify the access policies in the text box called Policies below.

Warning!

Policies are not applied to those users that have Superuser permission

The policies rules are text strings having a syntax that imitates the one used by SQL query. The syntax is:

ALLOW/DENY <<application_name>> ON <<endpoint_name>> TO <<user_name>>

The wildcard * is accepted in any position and will indicate any (application, endpoint, user).

The order of the rules will determinate the priority, the first rule matched will be the one to be executed. If no rule is matched the default rule will be
ALLOW *

Everything will be accepted.

In case we want to have full control on the application access for each endpoint the best practice is to set the last rule with
DENY
This will block all the access between application, endpoint, user not directly specify from the policies.

ALLOW 'Secure Shell' ON linux TO bob@acme.com
DENY * ON windows TO alice@acme.com
ALLOW * TO alice@acme.com
ALLOW * ON * TO jon.doe@acme.com
ALLOW 'VNC Remote Desktop' TO eve@acme.com
DENY

Screenshot_at_2018-11-06_09-49-42.png

This configuration will allow the following visibility of endpoint and application:

User bob@acme.com will be able to see only the Secure Shell application linux endpoint.

User alice@acme.com will be able to see all applications on any endpoints except the ones on windows endpoint.

User eve@acme.com will be able to see only "VNC Remote Desktop" application on all endpoints but since this Application is available only on the windows endpoint that will be the only application available. In case more endpoints with "VNC Remote Desktop" will be added in future, this user will be automatically able to see them all.

User moon@acme.com will not be able to see any application on any endpoint.

User jon.doe@acme.com will be able to see every application on every endpoints.

 

Note

In case the Organizations are in use on the Switchboard will be necessary to specify it in the application name only, separating it by /
e.g.
ALLOW 'Secure Shell/Organization_NAME' ON Linux-server TO bob@acme.com
Have more questions? Submit a request

Comments