| Efficiently managing Access Rights |
|
Have you ever had to change all of your access policies, because your company policy changed? Ever needed to search through your policies, because someone changed the department and needed new rules?
That's where CYAN Secure Web's profile hierarchy shows it's dynamic approach and easy of use. But let's start from the beginning – what is a profile? Look at all the policies concerning one user, be it which categories of web content he or she is allowed to see, the status of virus scanning or even which online banking sites will be viewed as private. Then sum these policies up and assign them a name by which you reference the whole set. That's a profile. Let's assume you have a policy which is consistent throughout your company. If this policy changes, you don't want to deal with the effort of changing the same setting in every profile. That brings the inheritance into play. Every profile is located somewhere in a hierarchical structure – the profile tree. That means, each profile can have one parent (superordinate) profile and a number of child (subordinate) profiles. By default, all policy settings are set to “inherit”, which can be translated to “use the setting from your parent profile”. Thus, you can set your company policy in the root profile and all other profiles will inherit the setting by default. A change can be made at a single point and all profiles will use the updated setting. This way, you don't have to go to each profile and change it. If you need to set a different policy setting for a specific user, you can change the value of each setting from “inherit” to the desired value in the user's profile. Since all policy settings work hierarchically, the child profiles of this changed profile will inherit the same value by default. You can easily mirror your company's structure in this way. Use “department profiles” for the different policy needs of your departments and then fine-tune them for individual users with child profiles of the department's profile. Still, every setting that is set to “inherit” throughout the profile tree can be changed at a single point. Now we've discussed profiles, inheritance and the hierarchical structure. But how do you assign a profile to a user? The profile itself is an independent entity. By default it is not linked to any user. You can connect the profile with a single user, a group of users or an IP address. Furthermore, you're not limited to connect it to just one user or group. The profile can be used for many users, if you assign them to share a common policy. So let's assume a user in the example above (using department profiles) changes his department and needs to be governed by a new general policy. All you need to do is change the user's profile link to the appropriate department profile. But what if you have defined a number of exceptions to the company policy specifically for the user by having a separate profile for this user? Just change the parent profile of the user's profile to the new department. This way, all settings that are inherited from the parent profile are updated with the new values from the new department profile and all exceptions for the user are still set by his personal profile.
Author: Gerhard Byrne, Chief Developer of the CYAN Secure Web proxy server |
