Layer7 Access Management

Expand all | Collapse all

How can i create a Policy where user not present in the Group should get a particular response?

Jump to Best Answer
  • 1.  How can i create a Policy where user not present in the Group should get a particular response?

    Posted 09-08-2016 02:05 AM

    Hello Everybody,

     

    I am trying to implement a custom solution, where i have a requirement i need to send some static value like False as a response if the particular user is not present in that AD Group.

     

    For ex:- I want to create a policy where i attach a rule and a response, but i need to send response only if the user is not present in the AD group .

     

    Suppose AD group is CN=abc,OU=IDM,OU=P001,OU=GRP , if the end user is not present in this group i should send a response back to the application i.e static response like:WebAgent-HTTP-Header-Variable abc=false .

     

    now generally we can configure the policy for the user which is present in the group, how can we create a policy for a user which is not present in the group and still send a response back.

     

    Your Help would be highly appretiated!!

     

    Thank You

    Ankur Taneja



  • 2.  Re: How can i create a Policy where user not present in the Group should get a particular response?

    Posted 09-08-2016 03:04 AM

    Hi,

     

    How about using OnAccessReject Rule for Authorization Event Actions?

     

    Here is a KB article which might help. While it is explaining OnAuthAttempt event, it would be similar.

    How can an OnAuthAttempt response be tied to a rule? 

     

    I hope this would help.

     

    Regards,

    Koichi



  • 3.  Re: How can i create a Policy where user not present in the Group should get a particular response?

    Posted 09-08-2016 04:43 AM

    Hello Koichi,

     

    Thank you for the input.

    But here i am looking to post a HTTP Header response if the user is not present in that particular group. The above article is for WebAgent-OnReject-Redirect response which i am not looking for right now.

     

    I just need to post the header i.e a static value if the user is not present in the group. Generally we can easily do this if the user is present in the AD group and can send HTTP Header response, But how to do it when i am looking for a scenario if the user is not present in that group and i need to send a HTTP Header response static value based on that.

     

    Thank You

    Ankur Taneja



  • 4.  Re: How can i create a Policy where user not present in the Group should get a particular response?

    Posted 09-08-2016 06:52 AM

    1. Create a rule like "Access Reject rule"

    2. Create a response like "Access Reject Response" with the required headers values

    3. Create a policy like "Access Reject Policy"

       Allow every user in groups tab

       Add "Access Reject rule" Rule

       Associate "Access Reject Response" to the above rule

    3. Submit the policy

     

    This will serve your requirement.



  • 5.  Re: How can i create a Policy where user not present in the Group should get a particular response?

    Posted 09-13-2016 12:36 AM

    Hello Gopi,

     

    Apologies for the delayed response.

     

    The above suggestion seems to be perfect, but when i implemented above the rule and response are not getting triggered if the user is not present in the group. 

     

    I cannot see any response generated, i am sending a static HTTP header value.

     

    Is there anything that i am missing here?

     

    Thanks

    Ankur Taneja



  • 6.  Re: How can i create a Policy where user not present in the Group should get a particular response?

    Posted 09-15-2016 04:42 AM

    Please let me repeat: in this case, WebAgent-HTTP-Header-Variable does not work, and you may use WebAgent-HTTP-Cookie-Variable instead.

     

    Regards,

    Koichi



  • 7.  Re: How can i create a Policy where user not present in the Group should get a particular response?

    Posted 09-08-2016 07:35 AM

    Hi,

     

    If the user is not present in that particular group, he/she will be AzRejected by your policy. Then, normally, login.fcc will be present again. The login.fcc will not have your HTTP Header response because WebAgent-HTTP-Header-Variable enables a Web Agent to pass the value to a Web application (not to Web browser). In this case, you may use WebAgent-HTTP-Cookie-Variable instead so that the browser  will have the cookie.

     

    The above comment by GopiReddyIrala is really good by explaining step by step. Thanks for the post.

     

    Regards,

    Koichi



  • 8.  Re: How can i create a Policy where user not present in the Group should get a particular response?
    Best Answer

    Posted 09-15-2016 03:21 PM

    1) Create a second Policy (e.g "UnAuthorized_Policy)

     

    2) Create a Rule within the 'Unauthorized_Policy' (e.g. UnAuthorized_Rule)

    Resource: Same as ALLOW Rule

    Action: Authorization Events: OnAccessReject

     

    3) Create a Response (e.g. UnAuthorized_Response)

    Attribute Type: WebAgent-Onreject-Redirect OR WebAgent-OnReject-Text

    Attribute Kind: Static

    Variable Value: path to Redirtect Page or Text (Depending on which Attribute type you choose)

     

    4) Configure the Policy for ALL USERS in the user directory

     

    5) Tie the UnAuthorized_Rule and UnAuthorized_Repsonse to the UnAuthorized_Policy

     

    I would suggest creating an UnAuthorized web page and placing it in an unprotected directory and redirecting the user to that page.

     

    Users who are authorized to access the resource will be redirected to the resource.  User who are authenticated, but not authorized to access the resource will be redirected to the unauthorized page or presented the Text, depending on which you chose.

     

    This should allow you to achieve your use case.