Managing Access Control in Access Server
Access control with Access Server provides security by verifying users and ensuring appropriate permissions are granted to them.
Access control is an important security tool. You use it to grant access to users or groups for the services and tools they need to do their jobs. You also use it to keep other services and tools available to other users without granting full access to everyone in your network.
Access Server grants access to your network in an encrypted manner over the insecure Internet. It has the functionality to define that access so that this user can access this resource but not that resource.
Access Server's access control operates on three levels:
Global
Group
User
This topic shows how access control works at the three levels.
Access control example
Suppose we want to grant access for the scenario diagrammed above:
All VPN users need access to the print server (198.51.100.1).
Only the web team must access the dev web server (198.51.100.2).
Only one ops team member can access the prod web server (198.51.100.3).
You can create access in this way:
Grant global access to all VPN users to the print server, 198.51.100.1.
Grant the "dev group" access to the dev web server, 198.51.100.2.
Grant "User+" access to the prod web server, 198.51.100.3.
Access Control inheritance rules
Access Server provides access control at the user, group, and global levels. The following rules apply:
A user can belong to one or no group.
A user inherits access from the group and the global level.
A user can have additional access when defined for the user account.
A group inherits access from the global level.
A group can have additional access when defined for the group account.
Global access propagates to all groups and users.
You can create access control policies for Access Server by granting access to servers, subnets, and IP addresses at the user, group, and global levels.
This tutorial shows how to grant access to all VPN users for a specific resource based on the subnet.
Grant access to a specific resource, group, or user for a specific group of VPN users.
This tutorial shows how to grant access for a VPN user to a specific resource based on the subnet.
Follow these steps to remove access control for global rules. If you configure all your access at the group and user levels, you also want to clear all global access control rules.
Watch this overview of Access Server's access control: