Use of Tags

  • 4 minute read
Prev Next

There are a number of areas in which it is useful to use Tags in the AppGate ZTNA system. Before we explore these, a few words about tags themselves.

Many forms in the Admin UI allow you to add Tags, usually in the area at the top of the page. Tags are a (case insensitive) free text field and are common across the entire system. They can be used to find objects and establish relationships between different objects in the system. They are most useful where you need to set up many-to-one relationships. If a number of objects were all tagged with mytag, then to allow an admin to manage all these objects would only require mytag adding to the admin role.

Managing Tags

Tags can be added in most areas by clicking <+ Add New> under tags. As you start to type, a filtered dropdown list of the existing Tags will appear. If a new Tag is required click <Create tag> enter the required details and then click <Create>.

Once Tags have been used somewhere in AppGate ZTNA, they will be listed in System > Tags. This form allows you to manage Tags such as change a Tags color or delete unused Tags.

There is also an overview for each Tag which shows you all the occurrences of the tag within the system from where it is also possible to Edit the tag. This same overview can also be accessed by clicking on the Tag anywhere in the system.

Using Tags

When using Search

Most forms offer Search which includes filtering by Tags. This will return only objects with that tag name.

Search interface for admin roles with fields for keywords, name, and tags.

If you always Tag objects when you create them, then it will make it much easier to filter and find these objects later on. This is especially important as the scale of the deployment grows and you have far more objects than can be displayed on one page.

When adding Entitlements to Policies

It is frequently the case that there will be several Entitlements in a single Policy, tags are a good way to configure this.

As you create the Entitlements, make sure to add a Tag to each, e.g., Sales.

When you define the Policy's Assignment Criteria, instead of selecting all the Entitlements one by one using Entitlements by Name, use Entitlements by Tag and just add the Sales tag there.  This will link all the Entitlements you have tagged with Sales to the Policy.

There is no requirement to enter anything in the Tags field at the bottom of the Policies screen in this situation.

When assigning Users to Policies

Another scenario is when you want to link many users to a single Policy - so again Tags are a good way to do this. This however only applies to users in the Local Database Identity Provider type.

To add users to the local database, use Local Users and add a Tag to each, such as “admin”. Then when you configure a Policy, use the list under Select Assignment Criteria to select User claims > tags.

Criteria settings for user assignment based on username and tag type.

Enter the name of the tag - in this case admin. This will make the Policy return true for any User you have tagged with admin.

There is no requirement to enter anything in the Tags field at the top of the Policies screen for this use case.

NOTE

For other identity providers, instead of using tags to assign users you can map an attribute (from the IdP) to a new user claim; then pick that user claim in the Policy.

When applying access control to Entitlements

Access Control can optionally be applied by the Gateway when the user/device tries to use any of the Actions defined in an Entitlement. This is probably not the best-fit use case for tags, however Condition based access offers this capability as part of its comprehensive tool set.

Follow the same procedure as detailed above for Policy assignment when setting up the Condition's Access Criteria.

There is no requirement to enter anything in the Tags field at the top of the Conditions screen in this use case.

When configuring Admin Roles

Tags also play a key part in limiting the scope of administrator privileges. This, in part, is how the concept of delegated administration within AppGate ZTNA was conceived. Refer to Admin Roles for more general information about configuring admin access to the system.

Unlike the previous use cases where tags were only applied to Entitlements or Users, tags can (and should) be used everywhere in the system. Then when an Admin Role is created it will be possible to limit the Scope of Privilege to, for instance, objects tagged with mytag.

Edit privileges for entitlement with options for limiting scope and adding tags.

It is also possible to tag the Admin Roles themselves in the same way as most other objects in order to delegate administration of the Administration Roles themselves.

In this case select Admin Role for the Target Item and then Limit the Scope of Privilege using tags that you have assigned to the administrative roles themselves.

Admin role privileges settings with options for limiting scope by name and tag.

Related articles
  • Admin Roles
    Admin Guide > Admin Guide v6.6 > Admin UI > Access > Admin Roles
  • Admin Roles
    Admin Guide > Admin Guide v6.5 > Admin UI > Access > Admin Roles
  • Tags
    Admin Guide > Admin Guide v6.6 > Admin UI > System
  • Configure admin roles
    Admin Guide > Admin Guide v6.5 > Admin UI > Access > Admin Roles