Managing User Identities
This topic describes how to associate user identities with network access. It includes these sections:
Identifying and adding users
SCM provides an easy and intuitive way to define network access by user identity. The Users page associates those accessing the networks with the devices they are using, providing granular and automated user-to-device assignments, with an interface in each zone.
Adding users is optional. Whether you propagate user identities depends upon your policy strategy.
If you require a per-user, per-device policy, we recommend populating the environment with user identities. Whereas if your policy strategy is focused on application, zone, or site, you can create a policy without referring to the individual users. Adding users and devices provides micro policy focus and usage tracking at the user level.
For details on devices, see
Viewing devices.
You can also implement policy strategies based on a subset of all users such as:
• Adding key personnel - Provide key users improved visibility into the applications needed to adjust QoS and path selection.
• Creating user groups - Use the same strategy as key personnel, but enable it at a group level.
• Adjusting user and device visibility - Use application visibility to identify noncritical, nonbusiness application use during business hours across the enterprise, and then drill into zones to identify target sites. With this information, you can adjust user and device level visibility as needed.
Adding users
You can identify users by name, roles, or job functions.
You can add users manually or automatically populate them using directory synchronization with Windows Active Directory or Google Apps. You can perform Active Directory synchronization for corporate users in an organization, even if they are in a remote location. Active Directory synchronization is not supported on an SDI-5030 gateway.
The SteelConnect Manager directory sync is completely separate from the SteelHead Active Directory integration for optimizing Microsoft secure protocols.
To add a user manually
1. Choose Users.
2. Click New User.
3. Type full name of the user. The full name is required.
4. Type the user’s email address. The email address is required.
5. Optionally, type the user’s mobile phone number, starting with a + or 0.
6. Optionally, type a policy tag for use with assigning a network zone and security policies. For details, see
Creating user groups.
7. Click Submit.
The user list displays the users and their home site location, contact information, and any group, tag, and device associations.
The home site specifies the location where the user will connect to the network using VPN. You can optionally click the username again to associate the user’s network access rules with a different home site.
To add users automatically
1. Choose Users > Directory Sync.
2. Select Active Directory or Google Apps from the drop-down list.
3. Fill out the fields for either Active Directory or Google Apps, described below.
To view all network users
• Choose Users.
• You can search by name to view all devices owned by a particular user.
• You can allow users to add their own devices that use a predefined and preapproved security policy.
Windows Active Directory
Windows Active Directory performs an LDAP query for the AD users and populates them as SteelConnect users. This is a user import operation only. The system performs the query every 15 minutes. Only active directory users with an email address are synchronized. The user’s mobile phone number is also synchronized.
You have to resynchronize when there is a change to Active Directory; there is no automatic synchronization between SCM and Active Directory.
To automatically populate users using Windows Active Directory
1. Provide an LDAP bind user with at least the backup operator’s privilege to the active directory. This sets the authorization identity used for the query.
2. Choose between using an appliance as a proxy or a secure LDAP server directly to perform the sync. Remember that when you use LDAP the sync is activated and performed from the SteelConnect Manager, so the necessary network ports must be open on the firewall to allow the connection inbound.
3. Provide the search base for your active directory. This setting is an active directory organizational unit.
5. Click Submit.
Google Apps
If your organization is using a Google domain infrastructure, Riverbed is able to fetch Google domain users to allow easy integration.
Users that are added to your directory on
https://accounts.google.com can be created automatically on SCM.
The Google Apps Sync feature polls the service and updates the users every 15 minutes.
SCM fetches the user account’s email address and the user’s mobile phone number from the backend to enable them to use both methods for Portal registration.
To setup Directory Sync via Google Apps, first create a Service account key via Google’s Developer Console.
To create a service account key through Google Developer Console
2. From the project drop-down list, select Create a new project.
3. Choose API Manager > Social APIs > Google+ API.
4. Click Enable API.
5. In API Manager, choose Credentials from the left sidebar.
6. Select the Credentials tab.
7. Select Create credentials > Service account key.
8. Create a new service account and select a name for the new account.
9. For Key type, select JSON.
10. Click Create.
The JSON key will be downloaded automatically.
To automatically populate users using Google Apps
1. In SCM, choose Users > Directory Sync.
2. Select the Setup tab.
3. Select Google Apps as the directory backend.
4. Specify your Google Apps domain name: for example, acme-inc.com.
5. Specify the email address of the user for which the application is requesting delegated access. This must be an account admin with privileges over the domain.
6. Click Browse next to Private key and select the JSON key file to upload.
7. Click Submit.
8. Select the Sync Status tab and select Sync after Operation mode.
9. Click Sync now.
Creating user groups
Groups allow two or more users to be associated so that you can apply rules collectively. Grouping minimizes the amount of rule definitions and reduces administrative overhead.
A policy tag field is associated with both users and groups. It allows an additional or alternative method of grouping users. You can use tags to create a subset of a group or to tie users across different groups for the application of other policies. For example, defining policy tags is useful when you want to apply dynamic zone mapping when a user connects through a wireless network.
Granular grouping of users and tagging can increase management complexity. Keep it simple; you need to be able to keep track of which rules and policies apply to a specific user.