Symantec Privileged Access Management

Expand all | Collapse all

Cannot restrict users' access to devices or passwords based on the IP address they connect to PAM

  • 1.  Cannot restrict users' access to devices or passwords based on the IP address they connect to PAM

    Posted 20 days ago
    Our user can access systems from the local network and from VPN. We want PAM to give permissions related to where the user connects from.

    For example, if the user connects from local network, he can connect to "Device-1, Device-2" but if connects from VPN he can connect to only "Device-1"

    Or

    If the user connects from local , can connect to "Device-1" SSH and WEB, but if connects from VPN, can connect to only "Device-1" WEB UI

    We created 2 user groups named "test-vpn" and "test-local" and limited IP ranges to source IPs. Then created 2 device groups named "test-vpn" amd test-local. Then we created two different policies for vpn and local user groups and devices.

    however, the user can see the devices or passwords he / she is authorized in both policies, regardless of the source IP it is connected to, whether it is connected from vpn or from the local network.



  • 2.  RE: Cannot restrict users' access to devices or passwords based on the IP address they connect to PAM

    Posted 20 days ago
    Hi Sibel, This looks like a duplicate of https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?GroupId=1501&MessageKey=45c90c83-a1de-4011-b705-fed4218dd933&CommunityKey=3e91a086-c7b2-4bd0-9f8d-3493ed834111&tab=digestviewer&ReturnUrl=%2fenterprisesoftware%2fcommunities%2fcommunity-home%2fdigestviewer%3fCommunityKey%3d3e91a086-c7b2-4bd0-9f8d-3493ed834111
    Source IP is used during authentication. Once authenticated, policies are evaluated to see what the user should have access to. At that point the source IP doesn't matter anymore. You are looking for an enhancement to the product. You can submit those on the ideation page.


  • 3.  RE: Cannot restrict users' access to devices or passwords based on the IP address they connect to PAM

    Posted 20 days ago
    Thank you Ralf.