Roles, Realms and Sign-In Policy
Overview
Ivanti Policy Secure access management framework allows only qualified users to access protected resources. The policies are created to allow or deny access to resources based on user’s role and user’s endpoint device compliance. The access management framework comprises of the following key elements:
User Roles
User role is used to categorize a group of users and accordingly provide access to a set of protected resources for these group of users. User role defines the type of access and the permissions required for accessing a protected resource. Administrator can define multiple user roles for the end users.
For example:
- Employees- Users who require access to all the company resources.
- Contractors- Users who work on a contract basis and require access to selected network resources.
- Guests- Users who visit the company and require limited access to network resources.
Authentication Realm
Authentication realm specifies the conditions that users must meet to sign-in to the system. A realm contains details about the authentication server with which the user is authenticated and list of restrictions/checks that needs to be passed on the client machine.
It also includes mapping of different users to different groups or roles with the use of role mapping rules.
- Authentication Server- An authentication server is a database that stores user credentials (username, password, group, and attribute information). The user logs-in to Ivanti Policy Secure through a specific authentication realm, which is associated with an authentication server, Ivanti Policy Secure forwards the user’s credentials to the authentication server to verify the user’s identity through AAA framework.
The Ivanti Policy Secure supports the following authentication servers:- Active Directory
- RADIUS
- LDAP
- RSA ACE/Server
- Anonymous
- Certificate
- SAML Server
- Mac Address Authentication
- Local Authentication Server. For more information, see Local Authentication Server Overview.
- Authentication Policy- It is a set of rules and restrictions to control resource access.
- Role-Mapping- It consists of conditions a user must meet for Ivanti Policy Secure to map the user to one or more user roles. These conditions can be based on either the username, certificate, user information returned by the realm’s directory server, or other administrator defined criteria.
The high-level configuration workflow is as follows:
- Configure the Authentication Server
- Configure User Roles
- Configure Restrictions
- Configure Authentication Realm
- Configure Sign-in Policy
Sign-in Policy
Sign-in policies define the URLs that users and administrators use to access the device and connect to the network. This also provides option to the administrator to select the set of pages that users see during the sign-in process. Note that, these pages can be customized by using Custom Sign-in Pages option.
For example, if the enterprise has both PC users and mobile users, the admin can define two different URLs so that different authentication methods can be used. The Ivanti Connect Secure could log in to the Ivanti Policy Secure with an RSA token and their AD username and password. The mobile device use a client certificate (provided by an MDM solution) and the AD username and password.