cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Can APM be used to combine ACLs for a single session

Xpenno255
Nimbostratus
Nimbostratus

Hi all,

 

I can't find the answer after a few hours of searching but can't believe that there's no solution to this.

 

Is it possible to combine multiple ACLs in a single APM session. This would ideally be done using AD Group membership or similar. If user is member of group 1 then then get ACL1, however if they are in group 1&2 they get the combined result of ACL1&2.

 

I know that it's possible to use advanced resource assign to check group membership and apply a single ACL to the session but I can't see a way to combine multiple ACLs in that use case.

 

Cheers

Spence

 

1 REPLY 1

Dave_W
F5 Employee
F5 Employee

Hello Spence,

 

Yes, should be able to do this with the AD Group Resource Assign. I tested this and when the user is in 2 groups with 2 different ACLs both ACLs will be assigned. You can verify this by looking at the session variable "session.assigned.acls." Keep in mind you with need and AD Query in the VPE for AD Group Resource Assign to function correctly.

 

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/access-...