NimbostratusAPM dynamic ACLs attached to AD or LDAP groups
Hi, I am building a client vpn setup with F5 APM. It's working quite good so far. I have a static ACL configured for now. I would like to use dynamic ACLs in the future so managers can give their Team members access themselves by adding them to specific ldap or AD groups (we use both).
My question is, is this even possible? Can I add ACLs to groups? And if yes, how does the F5 then knows which groups it should read ACLs from, since a user could be in different groups.
The groups would be preconfigured in LDAP/AD and all ACLs would be configured on the group. e.g. Sales guys need access to specific tools. I would create a group in LDAP/AD for this purpose and add the appropriate ACLs to this group. The manager could then add his Team members to this group and thus the Group members have access to the needed services. But the user could be also in many other groups. I was thinking about some sort of naming convention for the groups. Like acl-sales, acl-internet-access. So the F5 only looks in groups that start with acl-.
Hope you understand my question and I have understood dynamic ACLs correctly.
Thanks in advance.