bSecure Group Mapping for User-ID

A knowledge base article about bSecure Group Mapping for User-ID provided by the UC Berkeley IT Service Hub - Knowledge Portal

The bSecure service supports the use of user groups in addition to individual users for firewall security policy. 

This does not take the place of individual users in firewall policy, they can be intermixed as required by the customers needs.  Please see the User-ID article for more information on using usernames instead of groups.

Group Mapping

When available firewall administrators can request that their VSYS be enabled for group mapping. They will meet with a network engineer who will review their needs and determine if group mapping is appropriate for the use case. If so they will configure the service accordingly.  Please note that group mapping requests can take more than a month to implement and are impacted by change freezes. 

Once implemented users will be able to select their users and groups from a pre-populated list in the User field of the policy configuration. A policy entry supports the user of manual user entry, group entry, and a mixture of both.

Once online, administrators will manage group membership through CalGroups without having to modify or push new configuration to their firewalls.

How it Works

  1. Security policy including a list of users matches other requirements (such as source/destination address and service)
  2. The VSYS queries the User-ID database with the source network address of the connection
  3. If there is a username matching the source address in the database the name is returned to the VSYS
  4. If a username is found it the users group memberships are compared to the allows list specified in policy and if so the firewall will take the appropriate action

The Restricted VPN documentation has a good walkthrough of how to interact with the CalGroups interface that also applies to managing User-ID groups.

Service Limitations