62
5.3.10.6 Using groups
In some situations, assigning policies to groups of clients can complement previous scenarios. Groups can be created
manually or by using the
Active Directory Synchronization
option.
Clients can be added to groups either manually (
Static Groups
) or automatically - by the group properties (
Parametric Groups
). See chapter
Group Manager
for more details.
To assign a policy to a group of clients, you can use the one-time assignment option in
Policy Manager
(
Add Clients >
Add Special
), or deliver policies automatically via
Policy Rules
.
One of the possible scenarios is as follows:
The administrator wants to assign different policies for clients belonging to different AD groups and change the
client's policy automatically when the client is moved to another AD group.
1) The first step is to set
Active Directory Synchronization
in
Group Manager
according to your needs. The important
thing here is to properly schedule the AD synchronization (possible options: hourly, daily, weekly, monthly).
2) After the first successful synchronization, the AD groups appear in the
Static Groups
section.
3) Create a new policy rule and mark
ERA Groups IN
and/or
ERA Groups NOT IN
as a rule condition.
4) Specify the AD groups that you want to add to the condition.
5) In the next step define the policy that will be applied to clients matching the rule condition(s) and press
OK
to save
the rule.
NOTE
: Steps 3 - 5 can be replaced by using the
Policy Rules Wizard
, which allows you to create a policy structure
based on the existing group structure and map created policies to groups by creating corresponding policy rules.
This way it is possible to define a particular policy rule for each AD group. Assigning a certain policy to a certain client
now depends on the client's membership in a certain AD group. Since the AD synchronization is scheduled to occur
regularly, all changes in the client's AD groups membership are refreshed and taken into account when a policy rule is
applied. In other words, policies are applied to clients automatically depending on their AD group. Once the rules and
policies are defined thoroughly, no more intervention regarding policy application is needed from the administrator.
The main advantage of this approach is direct, automatic linking between AD group membership and policy
assignment.
5.4 Notifications
The ability to notify system and network administrators about important events is an essential aspect of network
security and integrity. An early warning about an error or malicious code can prevent enormous losses of time and
money needed to eliminate the problem later on. The next three sections outline the notification options offered by
ERA.
50
