About VIP User Groups and VIP Administrator Groups
You can create user groups and administrator groups to make management easier in VIP Enterprise Gateway.
You can configure multiple user groups to make security policy management easier. You may also create groups of administrators to provide selective rights to them rather than assigning the same privileges to all administrators. The User Groups and the Administrator Groups can be configured in VIP Manager.
Once you have created the groups, use the VIP Enterprise Gateway Configuration Console to map the users in your LDAP/AD user stores to one or more VIP User Groups or VIP Administrator Groups in VIP Authentication Services. Mappings are based on the following settings:
- Distinguished Name of the LDAP/AD user object
- Membership of the LDAP/AD user object in LDAP/AD groups
- Value of one of the attributes of LDAP/AD user object
The LDAP Synchronization service that runs on VIP Enterprise Gateway queries the LDAP/AD user store for additions, deletions, and updates to the user and the administrator records for group membership. Then, the LDAP Synchronization service synchronizes the information with the VIP Authentication Services.
To enable VIP Enterprise Gateway to synchronize administrators from the LDAP user store to VIP Authentication Service, you must map the administrators to at least one VIP Administrator Group.
For more information about the use cases for VIP User Groups and VIP Administrator Groups, and where these features are most beneficial, see the
Symantec VIP Enterprise Authentication Deployment Guide
online at the Broadcom TechDocs portal.Enabling user group policies
You can enable special user group policies in VIP Manager that can be applied to user groups defined in VIP Enterprise Gateway. If you set the following user group policies in VIP Manager, VIP Enterprise Gateway can apply the policies to user groups that you create and can manage in the Configuration Console:
- Access Policy:Use this policy to allow all users in a group to access a resource without VIP authentication or to block all users in a group from accessing the resource.
- Mobile Push Authentication Policy:Use this policy to allow all users in a group to authenticate using VIP Push notifications. You can also use this policy to restrict users from entering security codes as second-factor authentication.
- Credential Policy:Use this policy to set the number and types of credentials that a user in a group can register.
- Remembered Device Policy:Use this policy to set how Trusted Devices behave for users in a group.
For more details on these policies and instructions on configuring them in VIP Manager, see the VIP Manager online Help.