Access Control List
The access control policies manage users’ or user groups’ access to resources such as applications, devices, internet, login time, configurations, and services. A list of all such policies is called an Access Control List (ACL).
Access controls can be created for Native, LDAP, AD, RADIUS, and SAML Identity Provider (IdP) users/user groups. The Native user groups include the default user groups and all the other High and Low Security user groups created by the administrator.
The Access Control Lists for Low Security user groups, LDAP, AD RADIUS, SAML IdP user groups, and DEFAULT_RADIUS_USER_GROUP can include only Low Security Application Groups. The Access Control Lists for High Security user groups can consist of High and Low both, security application groups. TEST
Types of Access Control Policies
ACL policies are configured for individual users/user groups or a set of users/user groups. As a result, Common Configuration applies to all types of access control policies.
The following types of access control policies can be configured:
-
Application Access: Create this access control policy to provide application access to specific users or user groups.
-
Device ID: Create this access control policy to control the number and types of devices per user and restrict logins to trusted devices based on parameters like MAC Address, Motherboard ID, Antivirus solution, etc.
-
Endpoint Protection: Create this access control policy to control external connections on the user’s machine, including the Internet. This policy is enforced after the user has successfully logged in.
-
Notifications: Create this access control policy to generate actionable e-mail-based alerts for user events like first login, new device registration, subsequent user login, etc., in the HySecure gateway.
-
Account Lockout: Create this access control policy to lock the user account after a certain number of days post the user’s first login/last login in the gateway.
-
Endpoint Security: Create this access control policy to enforce specific host scan policies/device profiles for specific users/groups at login time. This policy helps provide granular and contextual security based on parameters IP and MAC Address, CPU, and Motherboard IDs, etc.
-
Client Configuration: Create this access control policy to enforce certain client configurations for specific users/user groups.
-
App Whitelisting: This access control policy enables only approved applications on the client machine to run. Applications that are not approved will not function when the HySecure client is logged in.
-
Authentication: This CARTA-driven access control policy periodically re-authenticates the user with 2FA tokens configured in the HyID policy. This policy is crucial for Liveness Detection, which securely distinguishes between live human biometric samples and fake representations.
-
SMS Gateway: Create this access control policy to send SMS to specific users or user groups through a designated SMS gateway, including the HySecure gateway.
View Access Control List
- Log on to the Management console.
- Go to Polices > ACL.
- The ACL list will be displayed in a tabular form with the following information:
| Field | Description |
|---|---|
| Type | Displays the appropriate Access Control Policy type. |
| Name | Displays the Access Control Name. |
| HySecure Domain | Displays the HySecure domain name on which the access control is applied. |
| Authorization Server | Displays the authorization server linked to the policy. The policy will apply to the Users / User Groups fetched from this authorization server. |
| Assignment Type | Displays whether the policy is assigned to the users or user groups. |
| Assigned To | Displays the name of the users/user groups to whom the policy is applied. |
| Entitlement | Displays the configuration/application/policy a user is entitled to. E.g., if the user is authorized to access App_Group_1, then the entitlement name will display the name of that application group. Entitlement will only appear for Application Access, Endpoint Security (EPS), App Whitelisting, Client configuration, and SMS gateway types of ACL. |
| ACL Enabled | Displays the state of the access control policy, whether it’s enabled or disabled. |
| ACL Expiry Date | Displays the date until which the access control policy remains valid. |
| ACL Priority | Displays the priority level of ACL from 1 to 10, where 1 is the highest. |
Create a new ACL
The configuration fields will differ based on the type of ACL chosen from the drop-down list. Thus, the common configuration is explained here.
Common Configuration
-
Log on to the Management Console.
-
Go to Policies > ACL, click Add to create a new access control policy, and provide the following details.
| Identifier | Description |
|---|---|
| Access Control Type | Choose an appropriate Access Control Policy type from the list here. |
| Access Control Name | Enter the name for the ACL. This name helps to distinguish the ACL in listings, searches, and logs. |
| Access Control Description | Describe the ACL in brief to provide the correct context. |
| Select HySecure Domain | Select the HySecure Domain on which the access control will be applied. This domain will be used to fetch the Authorization Server list. |
| Select Authorization Server | Select the Authorization server to fetch the User/User Group list. Select Native to use the HySecure local database users. |
| Select Assignment Type | Select whom to assign ACL , to Users or User Groups. The Select User/Group Type option will depend on the selection done here. |
| Select Native User Type (Only for Authorization Server as Native) |
Select High Security User or Low Security User, as appropriate, on which the ACL will be applied. |
| Select User Type If Users is selected in Select Assignment Type (Only for Authorization Server as AD/LDAP/SAML Identification server and Assignment Type as User.) |
- Select All Users to apply access control policy on all the users. - Select Get All Users from Directory Server to fetch the first 500 users defined in AD, LDAP, RADIUS, and SAML IDP, then select the relevant users. - Select Search manually by username to apply to users from the Directory server and select individual users. |
| Select Group Type (If User Groups option is selected in Select Assignment Type.) |
- Select All Groups to view the list of all the user groups in the Select Application Group list. - Select Selected Groups to search and apply to a set of groups. |
| Select Application Group | Select a User Group name and click Add. The following default groups can be used for authorization when using the local database: DEFAULT_USER_GROUP: All users and groups. SYSTEM: All Security Officers and administrators. DEFAULT_BA_USER_GROUP: All users authenticating with basic username/password/token. The following default groups can be used for authorization, when using AD/LDAP/SAML server: All Groups: All groups exiting on the AD/LDAP. In this case, the application group would be available to any user authorized by AD/LDAP server. The following default group is used for authorization when using the RADIUS server: DEFAULT_RADIUS_USER_GROUP: All users authenticated and authorized by the RADIUS server. The following default group is used for authorization when using the SAML Identity Provider: DEFAULT_SAML_USER_GROUP: All users authenticated and authorized by the SAML IdP*. |
| Select priority of the Policy (Not applicable for Application Access, Account Lockout, Notifications, and App Whitelisting access control types) |
Select the desired priority of the policy from the given range - 1 to 10. 1 being the highest. |
| Access Control Valid Till (Not applicable for Notification Type of Access Control) |
Set an expiration date for the access control policy to expire. |
| Access Control State | By default, an access control policy is Enabled i.e. It’s applicable instantly on clicking the Submit button on creation. Select Disabled to explicitly enable the policy at a later point in time. |
Note
Azure SAML IdP user groups can be fetched while creating this access control policy in the HySecure gateway.
Application Access-Type Access Control Policy
For a user to log on and access the applications, application access must be provided. This can be done by creating an access control policy for applications.
Note
For multiple Application Access-based Access Controls, access is granted from all enabled Application Access-based ACLs.
Add an Application Access-based policy
To add this type of policy, click the Add button and select Application Access from the Access Control Type drop-down menu.
| Type | Description |
|---|---|
| Access Control Type | As a part of common configuration, select the Access Control Type as Application Access from the drop-down list. |
| Select Application Group | Select the appropriate type of Application Groups: 1) Application Groups with High Security Level, if the Select Authorization Server field is set as Native and the Select Native User Type/Select Native Group Type is set to High Security User/High Security Group, respectively. 2) Application Groups with Basic Security Level (i.e., Application Groups with Security Level High is unchecked), if a) Select High Security Level in Application Groups if the User/Group Type is High Security. OR b) Select Authorization Server has an AD/LDAP/RADIUS/SAML Identity Provider server selected. Select Application Group for assigning application groups to users/user groups. Select Application Group by holding Ctrl and clicking Add to move them to the right-hand list box for Access Control. To delete an Application Groups select the group name and click delete. |
| Access Filter | The Access Filter allows to enable the Access Control policy. By default it is set as ANY_TIME i.e. 24/7. |
Device ID-Type Access Control Policy
The Device ID based fingerprinting feature captures details from the client machine running the HySecure Client software. Administrators can create an access control policy for users/user groups based on Device ID fingerprinting to allow only authorized devices to log into the HySecure gateway based on parameters such as Mac Address, CPU ID, Motherboard, WAN IP address, etc.
Warning
- To apply Device ID fingerprinting-based Access Control Policy, select Enable collection of device fingerprint details from the user device from Settings > Global > Client > HySecure Client Settings. (Refer to the figure below)
- In case of multiple Device ID based Access Controls, the policy with the highest priority number will be applied (1 being the highest priority).
Add a Device ID-based policy
To add this type of policy, click the Add button and select Device ID from the Access Control Type drop-down menu.
| Type | Description |
|---|---|
| Access Control Type | As a part of the common configuration, select the Access Control Type as Device ID from the drop-down list. |
| Per User Device Id Signatures | Users can only log in to the HySecure gateway from the number of allowed devices. If the limit is set to only one device, any attempt made to log in from another device displays an error. |
| Automatically approve devices | If enabled, the device used to log in will be automatically registered as a valid device. If disabled, the administrator must approve the device via Devices > Access Devices after receiving an email notification upon user login. |
| Select Device ID Parameters | Select at least one of the following parameters for device identification. The selected information will be used for approval as a valid device. |
| Select priority of the Policy | Select the priority level of the policy - 1 to 10, 1 being the highest. |
Endpoint Protection-Type Access Control Policy
This type of access control policy helps control external connections on the user’s machine, including the Internet. This policy is enforced after the user has successfully logged in.
Add an Endpoint Protection-based policy
To add an Endpoint Protection policy, click the Add button and select Endpoint Protection from the Access Control Type drop-down menu.
| Type | Description |
|---|---|
| Block Internet | Select this option to block the Internet on the user's machine once the user logs in. |
| Close existing connections | Select this option to close existing connections on the user's machine when logging in to the server, such as an RDP connection to another machine. |
| Continue to block all other external connections | Select this option to continuously block any external connections after the user logs in. |
| Do not allow login through Internet proxies | This option prevents HySecure gateway login via Internet proxies. |
| Select Priority of the Policy | Select the level of priority of policy - 1 to 10, 1 being the highest. |
Notifications-Type Access Control Policy
Create this access control policy to generate actionable e-mail-based alerts for user events like first login, new device registration, subsequent user login, etc., in the HySecure gateway.
Note
The Access Control policy determines the triggering event for notifications.
Add a Notifications-based Access Control Policy
To add a policy, click the Add button and select Notifications from the Access Control Type drop-down menu.
| Field | Description |
|---|---|
| Events | Select one or more of the below events on which email notification must be sent to the configured Recipient Email ids. |
| User First Login | Select this to enable notifications for the user's first login. |
| User Login | Select this to enable notifications whenever a specified user logs into the HySecure gateway. |
| User Logout | Currently not implemented. |
| Access Control Policy Expiry | Select this to enable notifications on Application Access Control expiry for any User/User Group. |
| Account Lockout | Select this to enable notifications for user Account lockout. This can be configured by Admin from Users > Registered Users or Account Lockout Access Control. |
| Application Access | Currently not implemented. |
| New Device Registration | Select this to enable notifications when a new device is registered for the user specified in the access control. The number of allowed devices from where a user can log in is configured as part of the Device ID Access Control. |
| Recipient Email(s) | Enter the semicolon-separated list of email IDs for users who should receive notifications about the above mentioned events. For example, xyz@accops.com;abc@accops.com. |
Account Lockout-based Access Control
Create this policy to lock the user account after a certain number of days after the user’s first login/last login in the HySecure gateway.
Important
The Account Lockout Access Control applies to the entire domain, not specific users or user groups.
Add a Lockout-based Access Policy
To add a policy, click the Add button and select Account Lockout from the Access Control Type drop-down menu.
| Field | Description |
|---|---|
| User should not be able to login after entered days of first login | The user account is locked after a certain number of days following the user's first login. |
| User should not be able to login after entered days of last login | The user account is locked if the user does not log in within a certain number of days after their last login. |
Endpoint Security-based Access Control
This access control policy (EPS) enforces specific host scan policies/device profiles for specific users/groups at login time. This policy helps provide granular and contextual security based on parameters such as Antivirus, Domain, MAC Address, installed Windows Update etc.
Add Endpoint Security-based policy,
To add a policy, click the Add button and select EndPoint Security from the Access Control Type drop-down menu.
| Field | Description |
|---|---|
| Select Device Profile Type | Select Any Device Profile if the user should be allowed to log in from any device profile, which is fulfilled by the endpoint. Select Selected Device Profiles if the user should only be logged in from a specific device profile, which is fulfilled by the endpoint. |
| Select Device Profiles | Select profile from the list and click Add. Use the CTRL key to select multiple profiles. |
| Allow Access from HyLite Portal (Browser) | Check this option if the user login is to be allowed from the HyLite portal (Browser). |
| Allow access from Native Client | Check this option if the user login is to be allowed from Native Client. |
| Select priority of policy | Select the policy priority – 1 to 10, 1 being the highest. |
Client Configuration-based Access Control
Earlier, Client Configuration was used to apply on the gateway level. This access control allows administrators to assign distinct client configurations based on individual users or user groups.
Add Client Configuration-based policy
To add a policy, click the Add button and select Client Configuration from the Access Control Type drop-down menu.
| Field | Description |
|---|---|
| Select Client Profiles | Select the relevant client profile for the chosen user/user group. |
| Select priority of policy | Select the priority of policy - 1 to 10, 1 being the highest. |
App Whitelisting-based Access Control
This access control enables only approved applications on the client machine to run. Applications that are not approved will not function when the HySecure client is logged in.
Add Whitelisting-based policy
To add a policy, click the Add button and select App whitelisting from the Access Control Type drop-down menu.
| Field | Description |
|---|---|
| Select Rules | A list of rules that should be explicitly added to the Blacklisted_Apps list. By default, they are allowed - Whitelisted. |
Authentication-based Access Control
This CARTA-driven access control policy periodically re-authenticates the user with 2FA tokens configured in the HyID policy. This policy is crucial for Liveness Detection, which securely distinguishes between live human and fake representations.
To ensure that only authorized users access the application, the policy requires periodic reauthentication of users during a previously authenticated session. This continuous authentication process takes place at a defined time interval and uses 2FA tokens that are configured through the HyID policy. If users fail to reauthenticate, they will be automatically logged out from the HySecure gateway.
Add Authentication-based policy
To add a policy, click the Add button and select Authentication from the Access Control Type drop-down menu.
Configure the following settings in the Authentication Setting.
| Field | Description |
|---|---|
| Disable/Enable CARTA | Select Enable CARTA to create and configure an access policy to reauthenticate the user. |
| Enable Forced reauthentication > Reauthentication Interval | Specify the time interval, in minutes, for the reauthentication cycle to re-initiate. |
| Client Settings > Heartbeat Interval | Specify the time interval, in minutes, for the client to initiate the reauthentication cycle. |
| Client Settings > Reauthentication window timeout | Specify the time interval, in minutes, after which the reauthentication window will time out, and the session will expire, forcing the user to re-login. |
| Gateway Settings > Reauthenticate using | Select the HyID policy for reauthentication. |
SMS Gateway-based Access Control
Create this access control policy to send SMS to specific users or user groups through a designated SMS gateway. Use SMS Gateway-based policy for routing specific users from multiple SMS gateways.
Add SMS Gateway-based policy
To add a policy, click the Add button and select SMS Gateway from the Access Control Type drop-down menu.
| Field | Description |
|---|---|
| SMS Gateway | Select the SMS Gateway details used to send HySecure/HyID notifications and OTPs to the users. |
Modify an Access Control Policy
Select the policies and click Modify to edit HyID Policies. Edit details and click Submit. For more information, refer to Common Configuration
Delete an Access Control Policy
Select the policy to be deleted from the HyID Policy page and click the Delete button. Once confirmed, the policy will be permanently removed.
Export an Access Control Policy
Click Export to export all details of the access control policies in a .CSV file.
Search an Access Control Policy
The administrator can search the relevant access control policy in the ACL based on the following parameters:
| Field | Description |
|---|---|
| Name | The name of the Access control policy. |
| HySecure Domain | The HySecure Domain for which Access control will be applied. |
| Authorization Server | The authorization server linked to the policy. The policy will apply to the Users / User Groups fetched from this authorization server. |
| Assignment Type | This Indicates whether the policy is assigned to the users or user groups. |
| Users/User Groups | The name of the user or user groups. |
| Type | The type of the access control policy. |