Understanding User Sign-In and Access Control
When a user logs into AppGate ZTNA, the system collects claims information. This data is utilized by the Controller to manage which policies are assigned to the user or device. These policies are essential for generating entitlement tokens, which subsequently establish the necessary firewall rules for the user upon signing in. With thousands of users logged in, the AppGate ZTNA system can easily produce millions of dynamic firewall rules.
In addition to the entitlement tokens, the claims information is transmitted to the Gateways within the claims token. These tokens, along with any extra claims gathered by the Gateways, help determine which hosts are permitted during usage. Throughout this process, dynamic and conditional re-evaluations occur, ensuring a continuous level of real-time access control.
This integration of precise access rights and dynamic controls enables timely and accurate access decisions. This approach, known as live entitlements, significantly enhances security.
Administrators establish access rules by defining entitlements that include actions. Within these actions, hosts can be specified through various methods: IP addresses, subnets, hostnames, URLs, resource names (cloud resolvers), and host entitlement scripts.
There are multiple components within AppGate ZTNA that support the concept of live entitlements.
Resource names and entitlement scripts facilitate the dynamic least-privilege access model, which is a fundamental aspect of AppGate ZTNA. These features enhance the system's ability to adjust in near real-time to changes in the infrastructure.
Entitlements encompass access controls that can be set to "always allow" or require one or more access criteria to determine when a specific entitlement is granted.
Entitlements may include static actions or more dynamic elements such as resource names or scripts. These allow the AppGate ZTNA system to determine which hosts to connect to based on real-time information, such as the number of auto-scaled hosts currently in operation.