Forum Discussion

davidfarje's avatar
davidfarje
Icon for Nimbostratus rankNimbostratus
Jul 04, 2024

APM Local DB multiple groups

Hi,

I'm using APM with localdb authentication and performing a group lookup and resource assign ACLs based on the localdb group. It works well with one group and one set of ACLs per group. 

But what if I want a user to have ACLs from more than one group? do I assign multiple groups to the user? I've sort of tried this but it did not work.  Only ACL from one group are applied.  Is this sort of functionality supported or is the group field in localdb meant for only one group?

aaa
acls
APM
group mapping
localdb
network access
policy editor
security
SSLVPN

2 Replies

Sort By
  • F5_Design_Engineer's avatar
    F5_Design_Engineer
    Icon for MVP rankMVP
    Jul 04, 2024

     try adding AD query after the logon Page and then assigning the resources on the user level.

     

    try using the expression in the Advance resource Assignment and then assigned the user with individual resources.

     

    expr { [mcget {session.logon.last.username}] == "test_user" }

     

    Branching in an access policy based on local user database groups

    You can store user group membership strings in a local user database instance. You can add one or more strings for a user to the database. The strings can reflect any grouping strategy that you want to apply. You can make user group-based branching decisions in an access policy by reading the group information for the user from the database, and creating rules for branching based on it.

    Before you can perform this task, you need users and user group membership strings configured in a local user database instance. You also need an access profile.

    Task summary

     

    Creating an access policy to branch based on local DB group membership

    You can use an access policy to retrieve user group membership from a local user database instance and configure branch rules to provide different actions for users in different groups.

    1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
    2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
    3. On an access policy branch, click the (+) icon to add an item to the access policy. Repeat this action from the visual policy editor whenever you want to add an item to the access policy. A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
    4. Type local in the search field. Search is not case-sensitive. A list of matching actions is displayed.
    5. Select Local Database and click Add Item. A properties screen displays.
    6. From the LocalDB Instance list, select a local user database.
    7. In the User Name field, retain the default session variable or type another variable name or a user name.
    8. From the Allow User Creation list, retain the default value (No).
    9. Click Add new entry. A new line is added to the list of entries.
    10. Configure the entry to read the groups from the database and store them in a variable:
      1. From the Action list, select Read.
      2. In the Source column from the DB Property list, select groups.
      3. In the Destination column Session Variable field, retain the default value, session.localdb.groups or type the name of a variable.
      4. In the Source column from the DB Property list, select groups. You have configured an action that reads the user's groups into a variable.
    11. Click the Branch Rules tab to edit a branch rule.
    12. Click the Add Branch Rule button. New Name and Expression settings display.
    13. In the Name field, replace the default name by typing a new name over it. The default name is Branch Rule n where n is a number. The name appears on the branch in the access policy and so should be descriptive.
    14. Click the change link in the Expression area. A popup screen opens.
    15. Click the Advanced tab. Use this tab to enter Tcl expressions. A text input field displays.
    16. Type an expression into the text input field. If you expect groups to include only one entry, you can type an expression similar to this one.expr { [mcget {session.localdb.groups}] eq "eng" }If you expect groups to include multiple entries, you can type an expression similar to this oneexpr { [mcget {session.localdb.groups}] contains "sales" }
    17. Click Finished. The popup screen closes.
    18. Add more branch rules to provide branches for different user groups.
    19. Click Save. The properties screen closes and the visual policy editor displays.
    20. Optional: Add any other branches and actions that you need to complete the access policy.

    When the access policy runs and takes the branch with the Local Database read action, additional branching is done based on group membership.

     

    Sample access policy that uses local user DB groups in a branching strategy

    Local User Database (f5.com)

    Watch this youtube Video for Local DB groups:

    https://www.youtube.com/watch?v=BCxAxH_0o7Y

    ========================

    Separating groups assigned to users in Local User DB into individual variables (f5.com)

    About LocalDB Group Lookup,About LocalDB Group Lookup,About LocalDB Group Lookup (f5.com)

    Local User Database (f5.com)

    AD and LDAP Group Resource Assign feature (f5.com)

    HTH

    ��

     

  • davidfarje's avatar
    davidfarje
    Icon for Nimbostratus rankNimbostratus
    Jul 05, 2024

    Hi F5_design_engineer,

    Resource assignment based on LocalDB group works.  What I want to know is, if I assign a user to multiple LocalDB groups.  Will the resource assigns for each group be cumulative? or mutually exclusive?