4.5. Roles, folders and services
Prev Chapter 4. Administration Next

4.5. Roles, folders and services

4.5.1. Roles
4.5.2. Searching
4.5.3. Folders
4.5.4. Services

4.5.1. Roles

A role is a collection of services, possibly organized with the help of folders. Access to individual services and folders may be controlled by access rules. Roles provide the ability to segment responsibilities and applications. This feature allows for quick and easy administration of what users are authorized to do. Roles are meant to reflect a set of tasks which a user is supposed to be able to perform in a given situation.

Roles can be either exclusive or combinable (controlled by the combinable flag). An exclusive role can not be combined with any other role in a session, that is if the user wants to use an exclusive role in a session then the user can use only that one role during the session. Combinable roles will be combined during a session, that is the user will activate all the combinable roles he has access to in a session. The default for new roles is to be combinable.

The AppGate system has the ability to talk to a Microsoft Active Directory and map group memberships to AppGate Roles (see Section 4.2.2, “LDAP/AD”). In this case the combinable flag is very useful as the AppGate Role concept will then match the Microsoft Active Directory group membership semantics, where a user can be a member of several groups at the same time and enjoy the sum of all the groups permissions.

For ordinary users it is recommended that all the Roles are either all combinable or not combinable. Having a mix may cause confusion as the Role selection dialog will not be entirely clear.

If one or more Roles is not combinable the user must select which role to use when logging on. Exactly which roles the user may choose from is dependent on the configuration in 'User Accounts'. This makes it possible to allow users and administrators to assume different "modes" according to the work activity they are trying to accomplish at the moment. This also helps users to employ the principle of least privilege, which is an important step in securing a network.

Access to roles may also be further limited by the use of Access Rules on roles. This feature can be used to change the set of available roles depending on a number of factors, such as the presence of a device firewall, the presence of an updated anti-virus system and type of client machine. See below for examples.

The following items are available on the 'Role' screen:

Icon

Selects an icon from the list of available icons. This icon is displayed together with the role description in the client role selection dialog. Note that new icons were introduced in version 7.1, the old icons are still present on the server but can only be selected by editing the database file manually.

Name

The name of the role. It must not contain any space, comma, semicolon, pound sign or ASCII characters greater than 127.

Description

A description of the role. This description will be shown in the AppGate client role selection dialog.

Options

There is only one option available for roles and that is the combinable option. if this is set (which it is by default on new roles) then the role can be active together with other roles in the same session.

Access rule

Selects an access rule that must be true for the role to be available.

Users...

This button is used to display a dialog which lists users who belong to this role. Users may also be added to or removed from the role. Only users from the local account database are handled by this dialog.

Folder/Service list

A list of all the services and folders in the role. Each folder/service has an access rule associated with it. This access rule must evaluate to 'true' if the folder or service should be available. The access rule is selected from a drop-down menu which lists the available access rules.

Folders and services may be added to this list by either attaching an existing folder/service or by creating a new folder or service.

Move up

Moves the currently selected service or folder up in the list of folders and services.

Move down

Moves the currently selected service or folder down in the list of folders and services.

Detach

If a service or folder is selected in the list of folders/services, it may be removed from the role by pressing this button.

Attach service...

Attaches a service to the role. The service is selected from a drop-down list of all the available services in the database.

Attach folder...

Attaches a folder to the role. The folder is selected from a drop-down list of all the available folders in the database.

New service...

Creates and insert a new service

New folder...

Creates and inserts a new folder

Service wizards

This drop down menu gives access to wizards which helps configuring services. Currently only one wizard is defined. This wizard helps to configure services needed for access to email from mobile devices.

Example 1: different classes of users

A company has two departments; sales and service. Both departments need access to three services: web, e-mail and NetBIOS. The sales department also needs access to the sales database application, salesdb, and the service department needs access to the service and support database application, servdb. Upper management needs access to all of the applications that either of the departments has.

In order to keep the access organized, the company sets up their AppGate system with three roles named "sales", "service", and "management". A folder named "everyone" is created containing the following services: web, e-mail, and NetBIOS. The folder "everyone" is linked into all three roles, since everybody needs access to it. This means that rather than adding those services to each role individually, the folder is simply linked, using "Attach folder...", to each of the roles. The service salesdb is liked to the sales role and the management role, using "Attach service...", and the servdb service is attached to the service role and to the management role.

Example 2: using access rules

A company has a security policy which mandates the use of a personal firewall and anti-virus applications. The administrator creates a client check (see Section 4.4.2, “Client checks”) which checks for the presence of an anti-virus application. Then an access rule (see Section 4.4.1, “Access rules”) can check both the result of this client check and for the presence of a personal firewall [2]. This check can also be done at the service level if so desired.

It is usually a good idea to create a service or role which shows a message (see Section 4.6.11, “User Message”) to the user, which has the inverse access rule. The user will receive a message which may explain why the requested service is not available.

4.5.2. Searching

The top node of the Roles part of the tree contains a search panel which enables searching among all available roles, folders, services and components.

The top part of this panel consists of a text field where the string to search for should be entered. After that comes the search button. Pressing this, or pressing the return key, will perform the search. Finally there are two check boxes which controls if the search looks in the name and/or description field. The default is to look in both.

If the search finds an object whose name exactly matches the string searched for, then that object will be opened directly. Otherwise there will be a list of matching objects in the list. It is possible to double click on any row in the list to jump to that objects definition.

4.5.3. Folders

A folder is a way to logically group together a set of services in a role. A folder may contain services or other folders. Each of these entities has an access rule associated to it. To gain access to the service or the content of the sub folder, the access rule must be satisfied.

The following items are available on the screen 'Folder':

Name

The name of the folder. It must not contain any space, comma, semicolon, pound sign or ASCII characters greater than 127.

Description

A description of the folder. This description will be shown in the AppGate client.

Options

The following options are available for a folder:

  • Transparent: The services/folders in this folder will not be placed in a separate folder when they are displayed in the client.

  • Hidden: The folder and all the services/folders it contains will not be visible in the client.

Folder/Service list

A list of all the services and folders in this folder. Each folder and service has an access rule associated with it. This access rule must evaluate to 'true' if the folder or service should be available. The access rule is selected from a drop-down menu which lists the available access rules.

Folders and services may be added to this list by either attaching an existing folder or service or by creating a new folder or service.

Move up

Moves the currently selected service or folder up in the list of folders and services.

Move down

Moves the currently selected service or folder down in the list of folders and services.

Detach

If a service or folder is selected in the list of folders/services, it may be removed from the role by pressing this button.

Attach service...

Attaches a service to the role. The service is selected from a drop-down list of all the available services in the database.

Attach folder...

Attaches a folder to the role. The folder is selected from a drop-down list of all the available folders in the database.

New service...

Creates and insert a new service

New folder...

Creates and inserts a new folder

Service wizards

This drop down menu gives access to wizards which helps configuring services. Currently only one wizard is defined. This wizard helps to configure services needed for access to email from mobile devices.

4.5.4. Services

Services are collections of components which are logically grouped together to accomplish one task. Services are added to groups and roles to be accessed by users. When a service is started, the components in the service are started in the order in which they appear.

The following items are available on the 'Service' screen:

Icon

Selects an icon from the list of available icons. This icon is displayed together with the service description in the client. Note that new icons were introduced in version 7.1, the old icons are still present on the server but can only be selected by editing the database file manually.

Name

The name of the service. It must not contain any space, comma, semicolon, pound sign or ASCII characters greater than 127.

Description

A description of the service. This description will be shown in the client.

Options

The following options are available for a service:

  • Auto Start: the service and all of its components are started automatically when a user logs on to the AppGate server.

  • Hidden: the service will not be visible in the client. If the service contains any components which are normally visible in the client access tab, these are also hidden.

Component list

A list of all components that should be started when the service is started.

Components may be added to this list, either by attaching an existing component or by creating a new component.

New component...

Creates a new component that is added to the list of components in the service. The type of component is selected from a drop-down list. When a new component type is selected, the screen for that component will be displayed.

Attach...

Attach an existing component to the service. The component is selected from a pop-up dialog which lists all existing components:

Detach

If a component is selected in the list of components, it may be removed from this service by pressing this button.

Move up

If a component is selected in the list of components, it may be moved up in the list by pressing this button.

Move down

If a component is selected in the list of components, it may be moved down in the list by pressing this button.


[2] Checks for the AppGate Device Firewalls are done automatically and other firewalls can be checked by using client checks.

Prev Up Next
4.4. Access rules Home 4.6. Components