Forum Discussion

Patrick_73676's avatar
Patrick_73676
Icon for Nimbostratus rankNimbostratus
Jan 23, 2015

Assign APM resources based on sAMAccountName

I have been tasked with setting up APM for remote access to specific resources based on a user's sAMAccountName. I cannot use groups, I think, because there are users that are members of the same group that should not have access to other resources.

 

For example... If "user1" is in the "BusinessOffice" AD group, they will be assigned "BusinessOffice" resources + "user1_RDP" Remote Desktop resource. Then, "user2" is also in the "BusinessOffice" AD group and should also get the "BusinessOffice" resources, but the "user2_RDP" Remote Desktop.

 

I've only ever had to create simple Access Policies based on group membership and am at a loss with the more advanced stuff.

 

We're running BigIP LTM 11.4.1 HF4. Please let me know if I should be providing more information. Any/all help is appreciated!

 

Thanks Guys!!

 

application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
LTM
security

4 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Jan 23, 2015

    If there's a way for you to determine in an iRule (or by ad attribute) the hostname of the rdp server, you can use the same RDP server resource for all users and let a session variable specify the host name (using something like 

    %{session.ad.last.attr.extensionAttribute1}
    as the hostname). This could simplify your design a bit, as long as you can set a session variable with the right host name.

  • Patrick_73676's avatar
    Patrick_73676
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2015

    Michael, thank you for the suggestion. I will look into it and see what other trouble I can get myself into. Thanks!

     

    • Michael_Jenkins's avatar
      Michael_Jenkins
      Icon for Cirrostratus rankCirrostratus
      Jan 26, 2015
      No problem. Let me know if that works out for you. I haven't done this myself, but am interested in seeing if there's any caveats...
  • Amit_Karnik's avatar
    Amit_Karnik
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2015

    For the RDP, instead of having multiple resources per user, you could define a single RDP resource.

     

    Then set the hostname attribute of the RDP resource to a session variable such as %{session.rdp.addr}. This way you could assign the same RDP resource to each user.

     

    For the conditional based resources assign, use the "Advanced Resource Assign" policy object and use the conditional to check the group membership before resource assignment.

     

    Another thing which has worked for me is to make the Conditional resource assignment as a separate macro-call. This will let you factor out your policy and use this block in a different part, for e.g. different OS platform or mobile device access, etc.

     

    Best.