Access management is configured using a combination of Policies, , the Risk Model, Conditions and Scripts. These are the main elements you need for provisioning fine grained access to administrators, users and devices.
Application Discovery can be a vital tool when you are migrating from a traditional network model to the ZTNA model. With a traditional VPN solution you may not really know which apps users are connecting to, so you can't easily define the Policies/Entitlements that Appgate SDP requires. Application Discovery allows organizations to quickly identify which apps users are connecting to and then to create the appropriate Policies/Entitlements.
Policies are the front door to the Appgate SDP system and assign rights to a users/devices after a successful sign-in. There are five different classes of Policy that can be assigned:
Access via Gateways based on Entitlements along with any related Conditions that apply
Admin rights to perform one or more administrative roles (admin UI & APIs)
Device controls which are pushed to the Client (Ringfence rules, Client profile settings, etc)
DNS settings comprising match-domain DNS settings along with the required Entitlements for the DNS servers specified
Stop assigning Policies and do not authenticate the user/device
Policies are enabled on a per-user basis using Claims-based assignment expressions. The Controller manages this process and the resulting settings/Entitlements are then passed to the Client.
Entitlements are assigned to users by Policies. Each Entitlement Token issued defines the Entitlements available to the specific user/device for a specific Site.
The main elements of an Entitlement are:
the Client app shortcuts
the Actions - defining the (protected) hosts and the rule to be used (typically <ALLOW>, but it can also be <BLOCK>, <ALERT> or <EXCLUDE>).
any access controls imposed by Gateways relating to the Actions. <Always Allow Action> is the default. <Risk Based Access> provides an easy way to apply access controls without using Conditions. <Condition Based Access> allows more complex configurations based on access criteria expressions or access criteria scripts.
An Entitlement might be created for Site net1 to: <ALLOW> TCP up to 10.0.0.1 on port 80, but only between 09.00 and 17.00.
The most powerful way to set up access controls is to use Condition based access. Conditions contain claims-based access criteria expressions that must equate to true for the Action(s) specified in the Entitlement to be allowed. For example: access may only be allowed if the user is working from an office-based IP address. When the criteria equate to false then the Entitlement will not be allowed (block rule applies). If a user interaction has been configured in a Condition, this will be triggered when the access criteria equate to false. User interactions provide an alternative way for the user to unblock access - by updating claims or providing new claims that will now meet the access criteria. For example: providing multi-factor authentication could be an alternative method for gaining access if not working from an office-based IP address.
The rest of this section focuses on how the controls actually work and the wider requirements that need to be considered in order to provision rights successfully.
