Checking access rights

To understand the access rights being granted by the AppGate ZTNA system, you need to understand:

who is being granted this policy (assignment criteria in policies)
what entitlements are contained within a given policy (by name or tag)
when any entitlements will be allowed (risk model and/or access criteria in conditions).

Remember that AppGate ZTNA uses claims to make access decisions. Claims are used in criteria expressions to decide who is going to be assigned a given policy and when an entitlement is allowed.

Claims are key-value pairs that relate to the identity and context of the user or device and are specific to each session.

There are several types of claims:

Context. Based on helpers that evaluate things like is in the IP range.
User. Static, non-changing claims such as username from the IdP, user claims script, or Connector.
Device. Dynamic, changeable claims such as the IP address of the connecting device.
System. Dynamic, changeable claims such the country code from the Gateway.

And two classes of availability within the system:

Built-in (formerly Fixed). Set by the system; will always be gathered.
Scripted (formerly On-demand). Configured by the admin; gathered when required.

Who

Test users - Active Session Mode

When you are creating or editing a policy or criteria script you can use the <Actions> button to perform a test. This test feature has two modes; Simulation and Active Session. The Active Session mode is most useful in this case on a live system with active users.

In active session mode you can pick and test an active user/IdP combination from the Active Sessions page. The criteria will be evaluated against this user's current claims and a true/false result shown.

What

Entitlements are the 'crown jewels' regarding access - they are effectively the 'allow' firewall rule, so it is important to know where they are used:

Using the Entitlements list

Go to the Entitlements page and click on the actions button of the entitlement of interest.

List linked Policies

To establish which policies contain a given entitlement in the entitlement view - from here you can analyze the system configuration to determine all the policies (by name or tag) that are linked to this entitlement.

Using active sessions

Go to Active Sessions and click on the user to reveal the Active session details for that user.

Analyze policy assignments

Runs a simulation of the policy assignment process using the user's currently reported claims.

Use the <Actions> button to Analyze Policy Assignments

The Policy Assignments Analysis window for ghr-egress, showing assigned policies and access details. This will allow you to see which policies are being assigned to the user.

Importantly it also will show you the specific policy which is being used to apply the various device settings:

List of policies used to apply device settings.

List Entitlements

The Entitlements tab lists all the entitlements the user has been granted. For each one it shows the matched policies that included this entitlement.

When

The most powerful way to set up access controls is to use condition based access. Conditions contain claims-based access criteria expressions that must equate to true for the action(s) specified in the entitlement to be allowed. For example: access may only be allowed if the user is working from an office-based IP address. When the criteria equate to false then the Entitlement will not be allowed (block rule applies). If a user interaction has been configured in a condition, this will be triggered when the access criteria equate to false. User interactions provide an alternative way for the user to unblock access - by updating claims or providing new claims that will now meet the access criteria. For example: providing multifactor authentication could be an alternative method for gaining access if not working from an office-based IP address.

Using Conditions

List linked Entitlements

Go to the Conditions page and click on the actions button of the condition of interest.

From here you can analyze the system configuration to determine all the entitlements linked to this condition.

List of linked entitlements with their enabled status displayed.

Test criteria - Simulation Mode

When you are creating or editing a condition you can use the <Actions> button to perform a test. This test feature has two modes; Simulation and Active Session. The Simulation mode is most useful in this case while setting up new conditions.

If you have an (access) criteria of "The Client Device has an IP in network 192.168.1.0/24" then the test function will automagically create a dialogue that allows you to enter values for this claim. In the example below 192.160.0.12 is not in the range so the test results in false.

The Test Expression configuration window with specific client IP and date, resulting in access denial. If you add a second claim value (client devices can have multiple interfaces) of 192.168.1.12, this is in the range so the test results in true.

The Test Expression configuration window with specific client IP and date for access validation.

Using Active Sessions

Go to Active Sessions and click on the username that is of interest to reveal the session details for that user.

List user's Claims

There are tabs for User Claims, Device Claims, and System Claims which list all the claims being used by the Collective to make assignment/access decisions.