ProxySG Content Policy Language Guide

group=

Tests if the client is authenticated, and the client belongs to the specified group. If both of these conditions are met, the result is true. In addition, the realm= condition can be used to test whether the user is authenticated in the specified realm. This trigger is unavailable if the current transaction is not authenticated; that is, the authenticate( ) property is set to no.

If you reference more than one realm in your policy, consider disambiguating group tests by combining them with a realm= test. This reduces the number of extraneous queries to authentication services for group information that does not pertain to that realm.

Syntax

group=group_name

where:

group_name—Name of a group in the default realm. The required form, and the name attribute’s case-sensitivity, depends on the type of realm.

NTLM realm: Group names are of the form Domain\groupname, where Domain may be optional, depending on whether or not the CAASNT is installed on the NT domain controller for the domain. Names are case-insensitive.

Local Password realm: Group names are up to 32 characters long, and underscores (_) and alphanumerics are allowed. Names are case-sensitive.

RADIUS realm: RADIUS does not support groups. Instead, groups in RADIUS environments are defined by assigning users a ServiceType attribute.

LDAP realm: Group definitions depend on the type of LDAP directory and LDAP schema.

Generally, LDAP distinguished names are used in the following form: cn=proxyusers,

ou=groups, o=companyname. Case-sensitivity depends on the realm definition configuration.

Certificate realm: Certificate realms provide authentication, but do not themselves provide authorization; instead they delegate group membership decisions to their configured authorization realm, which is either a Local Password realm or an LDAP realm. Group definitions should conform to the appropriate standards for the delegated authorization realm. Although the group used in policy is then a group from the delegated realm, to achieve performance benefits, the group= test should be preceded with a realm test for the certificate realm, not the delegated authorization realm.

Sequence realm: A sequence realm is a configured list of subordinate realms to which the user credentials are offered, in the order listed. The user is considered authenticated when the offered credentials are valid in one of the realms in the sequence. Authorization of the user is done with respect to the subordinate realm in which authentication occurred. Group names may be valid names in any of the realms in the sequence, but for the group= test to evaluate to true, the group must be valid in the realm in which the user is actually authenticated. If the group is valid in all realms in the sequence, then the group= test must be preceded by a realm= test of the Sequence realm; otherwise, it should be preceded by a realm= test of the appropriate subordinate realm.

Layer and Transaction Notes

Use in <Admin> and <Proxy> layers.

72

Page 71 Page 73
Page 72
Image 72
Blue Coat Systems Proxy SG manual Group=
Page 71 Page 73
Top Page Image Contents