Symantec Privileged Access Management

In customer environment, there are 2 policies, one for each user group (User GroupA and User GroupB) pointing to the same target server(Linux),command filter policy are also associate with these policies.

So it looks like

Policy A---User Group A------Command Filter A--------Server1
Policy B---User Group B------Command Filter B--------Server1


When A user join User Group A and run policy A all works good and command filter A is working as well. Same when user join User Group B.

Problem is when a user join both User Group A and User Group B. It seems under this circumstance user will have a policy that combined both Policy A and Policy B and Command Filter A and B both applies.

Is it expected behavior or there is a way we can select specific policy under this condition?

Jerry

Hello Jerry, 

As far as I know, this is the expected behavior when a user is part of multiple groups, all the policies take effect. This is the same for Devices that are part of Device Groups as well. 

Currently, we do not have the option if negating any of the policies nor the ability to select which group policy should be applied to the users, if the user is part of multiple groups.

I think, this would be a product enhancement.

Thanks,
Reatesh.

------------------------------
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 09-08-2019 10:20 PM
From: Songzhe Huang
Subject: policy with user group

In customer environment, there are 2 policies, one for each user group (User GroupA and User GroupB) pointing to the same target server(Linux),command filter policy are also associate with these policies.

So it looks like

Policy A---User Group A------Command Filter A--------Server1
Policy B---User Group B------Command Filter B--------Server1


When A user join User Group A and run policy A all works good and command filter A is working as well. Same when user join User Group B.

Problem is when a user join both User Group A and User Group B. It seems under this circumstance user will have a policy that combined both Policy A and Policy B and Command Filter A and B both applies.

Is it expected behavior or there is a way we can select specific policy under this condition?

Jerry

Hello Reatesh,

Thanks for the information, I thought this is how policy works under current design and should go with enhancement, but just need confirm my assumption.

BR
Jerry
Original Message:
Sent: 09-09-2019 04:33 AM
From: Reatesh Sanghi
Subject: policy with user group

Hello Jerry, 

As far as I know, this is the expected behavior when a user is part of multiple groups, all the policies take effect. This is the same for Devices that are part of Device Groups as well. 

Currently, we do not have the option if negating any of the policies nor the ability to select which group policy should be applied to the users, if the user is part of multiple groups.

I think, this would be a product enhancement.

Thanks,
Reatesh.

------------------------------
Principal Support Engineer
Broadcom

Original Message:
Sent: 09-08-2019 10:20 PM
From: Songzhe Huang
Subject: policy with user group

In customer environment, there are 2 policies, one for each user group (User GroupA and User GroupB) pointing to the same target server(Linux),command filter policy are also associate with these policies.

So it looks like

Policy A---User Group A------Command Filter A--------Server1
Policy B---User Group B------Command Filter B--------Server1


When A user join User Group A and run policy A all works good and command filter A is working as well. Same when user join User Group B.

Problem is when a user join both User Group A and User Group B. It seems under this circumstance user will have a policy that combined both Policy A and Policy B and Command Filter A and B both applies.

Is it expected behavior or there is a way we can select specific policy under this condition?

Jerry