Filter
Top Products
ProxySG Content Policy Language Guide
72
group=
Tests if the client is authenticated, and the client belongs to the specified group. If both of these
conditions are met, the result is true. In addition, the
realm= condition can be used to test whether the
user is authenticated in the specified realm. This trigger is unavailable if the current transaction is not
authenticated; that is, the
authenticate( ) property is set to no.
If you reference more than one realm in your policy, consider disambiguating group tests by
combining them with a
realm= test. This reduces the number of extraneous queries to authentication
services for group information that does not pertain to that realm.
Syntax
group=group_name
where:
•
group_name—Name of a group in the default realm. The required form, and the name attribute’s
case-sensitivity, depends on the type of realm.
❐ NTLM realm: Group names are of the form Domain\groupname, where Domain may be
optional, depending on whether or not the CAASNT is installed on the NT domain controller
for the domain. Names are case-insensitive.
❐ Local Password realm: Group names are up to 32 characters long, and underscores (_) and
alphanumerics are allowed. Names are case-sensitive.
❐ RADIUS realm: RADIUS does not support groups. Instead, groups in RADIUS environments
are defined by assigning users a
ServiceType attribute.
❐ LDAP realm: Group definitions depend on the type of LDAP directory and LDAP schema.
Generally, LDAP distinguished names are used in the following form:
cn=proxyusers,
ou=groups, o=companyname. Case-sensitivity depends on the realm definition configuration.
❐ Certificate realm: Certificate realms provide authentication, but do not themselves provide
authorization; instead they delegate group membership decisions to their configured
authorization realm, which is either a Local Password realm or an LDAP realm. Group
definitions should conform to the appropriate standards for the delegated authorization
realm. Although the group used in policy is then a group from the delegated realm, to achieve
performance benefits, the
group= test should be preceded with a realm test for the certificate
realm, not the delegated authorization realm.
❐ Sequence realm: A sequence realm is a configured list of subordinate realms to which the user
credentials are offered, in the order listed. The user is considered authenticated when the
offered credentials are valid in one of the realms in the sequence. Authorization of the user is
done with respect to the subordinate realm in which authentication occurred. Group names
may be valid names in any of the realms in the sequence, but for the
group= test to evaluate to
true, the group must be valid in the realm in which the user is actually authenticated. If the
group is valid in all realms in the sequence, then the
group= test must be preceded by a
realm= test of the Sequence realm; otherwise, it should be preceded by a realm= test of the
appropriate subordinate realm.
Layer and Transaction Notes
•Use in
<Admin> and <Proxy> layers.