Groups
Groups can be used for auto-provisioning and for authorization (RADIUS attributes or pre-authentication rules).
Groups are attributes that can be attached to a UserID and used for authorization during the authentication process. Group attributes provide a way to distinguish between valid users (all users that can authenticate) and those that should be allowed to authenticate to gain access to a particular resource.
For example, assume you have two valid users, User1 and User2, who can both authenticate. However, one of your protected resources is the HR network, which should be available to only User1. By creating an HR group, adding User1 to the HR group, and then creating a firewall rule or a pre-authentication rule in the virtual server, only User1 can authenticate to the HR network. To accommodate more complex requirements, use a combination of group memberships and pre-authentication rules.
The Groups tab provides access to functions that enable you to:
-
Create and Manage Groups (Group Maintenance module)
-
Manage User Group Memberships (Group Membership module)
-
Apply RADIUS Attributes to Groups (RADIUS Attribute (Group) module)
-
Create and Manage Containers (Container Maintenance module)
-
Manage Container Objects (Container Members module)
Internal and synchronized groups
There are two types of groups:
-
Internal Groups: Groups that you create and to which you add members.
-
Synchronized Groups: Groups that exist on an external source such as Active Directory (AD). The Synchronization Agent can be used to synchronize Active Directory groups. Synchronization not only synchronizes AD groups, it also retains each synchronized user’s group membership.
-
AD groups can be used for authorization. Simply by adding or removing a user from an AD group, the Virtual Server using pre-authentication rules can allow or deny access to resources based on user group membership attributes.
-
Auto-provision users with tokens based on their AD group membership. For example, if in AD there were two groups, remote access and KT, you could automatically provision users that belong to the KT group with a KT hardware token.
-
By using a combination of groups, pre-authentication, and auto-provisioning, you can accomplish most authentication management functions (creating users, authorization, assigning tokens, revoking tokens) without any administration.
-
Synchronized users can belong to both synchronized and internal groups.
Add or remove internal groups
You can add and remove groups on the Groups tab, in the Group Maintenance module.
-
On the SAS console, select the Internal option, and then click New.
-
Type a group name and a brief description of its purpose in the fields provided, and then click Add. This adds the group and updates the Internal Groups List.
-
To update group names and descriptions, click Edit.
-
To remove a group, click Remove.
After you add a group, you can add an individual user to the group on the Assignment tab, or add multiple users to the group on the Groups tab.
Manage group memberships for an individual user
Manage groups for individual users on the Assignment tab, in the Group Membership module.
-
On the SAS console, select the Assignment tab, and then search for the user.
-
Select the user.
-
Expand the Group Membership module.
-
To add the user to a group, click the Add button.
-
In the Add to list, select the group, and then click Apply.
-
To remove a membership, click the corresponding Remove link and confirm the action.
Manage group memberships for multiple users
To display all members of a group or modify the memberships of many users at a time, use the Group Membership module on the Groups tab.
Synchronized groups cannot be added or removed from users from the SAS console. This is because synchronized group membership is obtained from the AD/LDAP or other external user source. However, you can use the Search Synchronized tab to view groups and group memberships.
List the members of a group
-
On the SAS Management console, select either the Search Internal Groups or Search Synchronized Groups tab.
-
Enter the search criteria.
-
Is a member of: Refines the list to users that are members of any group or the specified group.
-
Is not a member of: Refines the list to users that are not members of any group or the specified group.
-
-
Select Search.
-
To display the details for a user, select the User ID.
Add users to an internal group
-
On the SAS console, select the Group Membership module, and then search for the users.
-
Select the users that you want to add to a group, and then select New.
The Add Membership options are displayed.
-
In the Add above user(s) to select group list, select the group.
-
Select Add.