How Entitlements are used in the Appgate SDP system
Use the Entitlements ui to create Entitlements.
Entitlements contain Actions which define the resources that users/devices will be allowed to access on a given Site (firewall rules) and may also include App Shortcuts which are presented in the Client.
Entitlements are assigned to users by Policies. Each Entitlement Token issued defines the Entitlements available to the specific user/device for a specific Site.
The main elements of an Entitlement are:
the Client app shortcuts
the Actions - defining the (protected) hosts and the rule to be used (typically <ALLOW>, but it can also be <BLOCK>, <ALERT> or <EXCLUDE>).
any access controls imposed by Gateways relating to the Actions. <Always Allow Action> is the default. <Risk Based Access> provides an easy way to apply access controls without using Conditions. <Condition Based Access> allows more complex configurations based on access criteria expressions or access criteria scripts.
An Entitlement might be created for Site net1 to: <ALLOW> TCP up to 10.0.0.1 on port 80, but only between 09.00 and 17.00.
Pros and cons of using multiple Entitlements
When users need access to some (protected) hosts on a particular Site, at least one Entitlement needs to be created for that Site and added to the Policy. If you have come from a firewall configuration background then you may be tempted to create multiple hosts in one Action or multiple actions in one Entitlement. Appgate SDP is designed with a different use case in mind - one where users get individual access rights so consider creating multiple Entitlements (one may still include a few grouped Actions).
Different Policies (which can include multiple Entitlements) can be used to organize access rights for different user groups - avoids creating lots of complex overlapping Entitlements
Entitlements include a notes field to describe the usage - there are no notes at the Action level
Access controls are set per Entitlement - so user interactions will apply to all Actions within a given Entitlement
Entitlements will generate their own Audit logs - this can help with audit trails
Entitlements include quite a lot of metadata - many Entitlements each with large amounts of metadata can end up using a bit more Gateway memory.
Key elements in Entitlements
Before creating an Entitlement, there are two areas that require more detailed examination in order to take full advantage of the Appgate SDP system:
Entitlements include Actions, these include defining host(s) that specifies WHICH firewall rules to apply. These differ from traditional firewalls rules as the source (or destination in the case of down rules) is assumed to be the user/device. Having just one parameter to worry about allows host definitions to be used that extend the capabilities of the system, going way beyond the traditional limitations associated with IP addresses and hostnames!
Entitlements can also include applying access controls which can be simply 'always allow' or alternatively be linked to either the risk model or Conditions. The latter two provide alternative ways of deciding WHEN the Actions defined in the Entitlement will be allowed, based for instance, on a user's current risk score.