Symantec Privileged Access Management

Dear SMEs,
I noticed today a "weird" behaviour in PAM 3.4.

The use case is the following:
User Dario can connect to PAM from two different IP addresses (intranet 10.100.x.x and VPN from home 10.16.x.x). Based on the location, the user must access different devices or having different access methods or different Services.

I implemented two User Groups (local and vpn) with the correct IP limitations, and user Dario is in both.
Then defined two Devices Groups, with one device (1.1.1.1) for the Intranet Group and a different device (2.2.2.2) for the VPN Group.
Wrote two policies to connect User Group and Device Group (local with Intranet and vpn with VPN).

With my complete surprise, PAM allows the user Dario to see both devices, no matter where he's connecting from.

At this point the question is very easy... why the IP limitations in the User Groups are not respected and, most of all, not checked because it is evident that PAM is merging the two policies even the IP limitation in the Group should not allow this to happen.

Appreciated any suggestion/explanation...

Regards,
Dario

Hello Dario,
I don't find this weird. The IP range defines from where a user can logon. Since the user is member of both groups, he can logon from either IP range. Once logged on, PAM evaluates which devices the user has access to per user or user group policies. That is not linked to the IP ranges evaluated for logon.
Original Message:
Sent: 07-08-2020 05:10 AM
From: Dario Pattarini
Subject: IP Ranges in Groups is not working. PAM is not using it at all (v3.4)

Dear SMEs,
I noticed today a "weird" behaviour in PAM 3.4.

The use case is the following:
User Dario can connect to PAM from two different IP addresses (intranet 10.100.x.x and VPN from home 10.16.x.x). Based on the location, the user must access different devices or having different access methods or different Services.

I implemented two User Groups (local and vpn) with the correct IP limitations, and user Dario is in both.
Then defined two Devices Groups, with one device (1.1.1.1) for the Intranet Group and a different device (2.2.2.2) for the VPN Group.
Wrote two policies to connect User Group and Device Group (local with Intranet and vpn with VPN).

With my complete surprise, PAM allows the user Dario to see both devices, no matter where he's connecting from.

At this point the question is very easy... why the IP limitations in the User Groups are not respected and, most of all, not checked because it is evident that PAM is merging the two policies even the IP limitation in the Group should not allow this to happen.

Appreciated any suggestion/explanation...

Regards,
Dario

In the documentation, it says the following:

The user definition overrides the User Group definition. If no user policy is defined but that User is a member of multiple groups with different rules, the group permissions are additive (less restrictive).

In your case, since the user is a part of the two different groups, they can log into PAM from all IP addresses listed in both groups. And since the user is a member of both groups, the policies for both groups apply to that user.

Documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-3/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-users/configure-user-groups.html#concept.dita_34b9dc1b98261f15d016d5d18bb325acd5c0a1d4_UsetheUITemplatetoCreateaGroup
Original Message:
Sent: 07-08-2020 05:10 AM
From: Dario Pattarini
Subject: IP Ranges in Groups is not working. PAM is not using it at all (v3.4)

Dear SMEs,
I noticed today a "weird" behaviour in PAM 3.4.

The use case is the following:
User Dario can connect to PAM from two different IP addresses (intranet 10.100.x.x and VPN from home 10.16.x.x). Based on the location, the user must access different devices or having different access methods or different Services.

I implemented two User Groups (local and vpn) with the correct IP limitations, and user Dario is in both.
Then defined two Devices Groups, with one device (1.1.1.1) for the Intranet Group and a different device (2.2.2.2) for the VPN Group.
Wrote two policies to connect User Group and Device Group (local with Intranet and vpn with VPN).

With my complete surprise, PAM allows the user Dario to see both devices, no matter where he's connecting from.

At this point the question is very easy... why the IP limitations in the User Groups are not respected and, most of all, not checked because it is evident that PAM is merging the two policies even the IP limitation in the Group should not allow this to happen.

Appreciated any suggestion/explanation...

Regards,
Dario

Thanks guys. Hence it means there is no way in PAM to fulfill that requirement... Correct me if I'm wrong
Original Message:
Sent: 07-08-2020 06:01 PM
From: Brian Rehder
Subject: IP Ranges in Groups is not working. PAM is not using it at all (v3.4)

In the documentation, it says the following:

The user definition overrides the User Group definition. If no user policy is defined but that User is a member of multiple groups with different rules, the group permissions are additive (less restrictive).

In your case, since the user is a part of the two different groups, they can log into PAM from all IP addresses listed in both groups. And since the user is a member of both groups, the policies for both groups apply to that user.

Documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-3/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-users/configure-user-groups.html#concept.dita_34b9dc1b98261f15d016d5d18bb325acd5c0a1d4_UsetheUITemplatetoCreateaGroup
Original Message:
Sent: 07-08-2020 05:10 AM
From: Dario Pattarini
Subject: IP Ranges in Groups is not working. PAM is not using it at all (v3.4)

Dear SMEs,
I noticed today a "weird" behaviour in PAM 3.4.

The use case is the following:
User Dario can connect to PAM from two different IP addresses (intranet 10.100.x.x and VPN from home 10.16.x.x). Based on the location, the user must access different devices or having different access methods or different Services.

I implemented two User Groups (local and vpn) with the correct IP limitations, and user Dario is in both.
Then defined two Devices Groups, with one device (1.1.1.1) for the Intranet Group and a different device (2.2.2.2) for the VPN Group.
Wrote two policies to connect User Group and Device Group (local with Intranet and vpn with VPN).

With my complete surprise, PAM allows the user Dario to see both devices, no matter where he's connecting from.

At this point the question is very easy... why the IP limitations in the User Groups are not respected and, most of all, not checked because it is evident that PAM is merging the two policies even the IP limitation in the Group should not allow this to happen.

Appreciated any suggestion/explanation...

Regards,
Dario

There is no way to fulfill this use case with a single user. You could create a local user for them to use when the VPN into the network.
Original Message:
Sent: 07-09-2020 06:35 AM
From: Dario Pattarini
Subject: IP Ranges in Groups is not working. PAM is not using it at all (v3.4)

Thanks guys. Hence it means there is no way in PAM to fulfill that requirement... Correct me if I'm wrong
Original Message:
Sent: 07-08-2020 06:01 PM
From: Brian Rehder
Subject: IP Ranges in Groups is not working. PAM is not using it at all (v3.4)

In the documentation, it says the following:

The user definition overrides the User Group definition. If no user policy is defined but that User is a member of multiple groups with different rules, the group permissions are additive (less restrictive).

In your case, since the user is a part of the two different groups, they can log into PAM from all IP addresses listed in both groups. And since the user is a member of both groups, the policies for both groups apply to that user.

Documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-3/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-users/configure-user-groups.html#concept.dita_34b9dc1b98261f15d016d5d18bb325acd5c0a1d4_UsetheUITemplatetoCreateaGroup
Original Message:
Sent: 07-08-2020 05:10 AM
From: Dario Pattarini
Subject: IP Ranges in Groups is not working. PAM is not using it at all (v3.4)

Dear SMEs,
I noticed today a "weird" behaviour in PAM 3.4.

The use case is the following:
User Dario can connect to PAM from two different IP addresses (intranet 10.100.x.x and VPN from home 10.16.x.x). Based on the location, the user must access different devices or having different access methods or different Services.

I implemented two User Groups (local and vpn) with the correct IP limitations, and user Dario is in both.
Then defined two Devices Groups, with one device (1.1.1.1) for the Intranet Group and a different device (2.2.2.2) for the VPN Group.
Wrote two policies to connect User Group and Device Group (local with Intranet and vpn with VPN).

With my complete surprise, PAM allows the user Dario to see both devices, no matter where he's connecting from.

At this point the question is very easy... why the IP limitations in the User Groups are not respected and, most of all, not checked because it is evident that PAM is merging the two policies even the IP limitation in the Group should not allow this to happen.

Appreciated any suggestion/explanation...

Regards,
Dario

Dario, 

Since PAM Policies are additive, and access accumulates with the addition of policies, I'd first suggest reviewing the polices to make sure there are no others that might present access to the two separate devices in question. If you can conclude that there are only two policies affecting the user account, and are still seeing this, I would create a ticket with Support so we can track the issue and get attention on it.

------------------------------
David Miller
Symantec PAM Services Consultant
Broadcom
------------------------------

Original Message:
Sent: 07-08-2020 05:10 AM
From: Dario Pattarini
Subject: IP Ranges in Groups is not working. PAM is not using it at all (v3.4)

Dear SMEs,
I noticed today a "weird" behaviour in PAM 3.4.

The use case is the following:
User Dario can connect to PAM from two different IP addresses (intranet 10.100.x.x and VPN from home 10.16.x.x). Based on the location, the user must access different devices or having different access methods or different Services.

I implemented two User Groups (local and vpn) with the correct IP limitations, and user Dario is in both.
Then defined two Devices Groups, with one device (1.1.1.1) for the Intranet Group and a different device (2.2.2.2) for the VPN Group.
Wrote two policies to connect User Group and Device Group (local with Intranet and vpn with VPN).

With my complete surprise, PAM allows the user Dario to see both devices, no matter where he's connecting from.

At this point the question is very easy... why the IP limitations in the User Groups are not respected and, most of all, not checked because it is evident that PAM is merging the two policies even the IP limitation in the Group should not allow this to happen.

Appreciated any suggestion/explanation...

Regards,
Dario