Jump to content
Welcome to our new Citrix community!

Groups with authorization policies

Recommended Posts

Hello NetScaler Team,


Is there Citrix documentation where it validates that if authorization policies can be applied to different groups, and a user can belong to one or more groups so that they can access the resources indicated in the authorization policy? (the session policy is at the virtual server level and makes a vpn ssl with plugin),


I have clients with this type of configuration and it works normally, but now Citrix Support indicates that this type of configuration is not supported.


Link to comment
Share on other sites

Probably nothing more than what is in the admin guide, but in general:


You can set gateway authorization decisions via both authorization policies (at group/user level) and session policies can set the authorization decision (at vpn global, vpn vserver, aaa group, aaa user level).


If a user receives multiple authorization policies (either on a single group) or via multi-group membership, and if those policies effectively are all ALLOW decisions, then effectively yes...the user will get the cumulative "allow" decisions from all policies applied.  Any thing that doesn't match an allow, should receive the default "deny" rule if set (usually global vpn parameter).


If you start asserting a mixture of allow and deny policies, then priority and the order groups are extracted is going to determine final results and can get messy.  I'd have to review some testing to say whether the deny always wins or the first matching policy (aka priority) asserts behavior for overlapping criteria as I haven't untangled it in a while.


What type of config is support saying isn't supported?  The exact scenario if you can and on which firmware/policy engine?  Because that sounds odd to me. But I or someone can clarify if I'm wrong about this.

Link to comment
Share on other sites

Thanks Rhonda,


It is true, the user receives cumulative authorization policies that allow access according to the group to which he belongs, there are no deny authorization policies, the deny is global.

This configuration is the one that Citrix Support says is not supported, it seems strange to me because we are not the only ones who use this type of configuration.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...