Apologies 4 yet another policies query but...
I have 2 nested groups containing a user
sysapp(group) contains kids(group) contains tony(user)
In the www service I set policies on the groups and the user (differing web sites excluded etc) and they all add togther as I expect (e.g. sysapp->microsoft.com kids->google.com then tony can access microsoft.com and google.com)
My question is that I have set a time limit on the policy assigned to kids - does the time limit restriction apply to just kids (not Tony) or to Tony as well?
Policies query
Moderator: Qbik Staff
11 posts
• Page 1 of 1
by adrien » May 11 06 12:40 am
Hi
What do you mean by time limit? If you mean the policy is restricted by time, then it will apply to the policy - i.e. the policy will only grant access during the time span you specify.
Or do you mean "Time online"? In which case, the time online is only recorded per user account. Setting the policy on the group will catch any member of the group that is a user, since the policy is evaluated as
Is the user a member of this group
is the user time on line less than this value.
If both these are true, then the policy would grant access.
What do you mean by time limit? If you mean the policy is restricted by time, then it will apply to the policy - i.e. the policy will only grant access during the time span you specify.
Or do you mean "Time online"? In which case, the time online is only recorded per user account. Setting the policy on the group will catch any member of the group that is a user, since the policy is evaluated as
Is the user a member of this group
is the user time on line less than this value.
If both these are true, then the policy would grant access.
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by daviesb7 » May 11 06 4:54 am
I mean the policy for the group is restricted by time. The user is a member of this group but both the group and the user have a policy assigned. So the question is does the time restriction policy apply to only the group or both the group and the user?
- daviesb7
- Posts: 10
- Joined: Apr 27 05 8:22 pm
by Pascal » May 11 06 11:18 am
I believe it will apply if the policy granting access is the one that contains it. However, to be sure, would you send me a copy of your policy setup then I can have a quick look through it?
Email address is in my profile, you can export the policies by saving your current WinGate registry with the Advanced Options screen in GateKeeper (Save Registry, not save config) or the Advanced Options tool in the Start Menu.
Email address is in my profile, you can export the policies by saving your current WinGate registry with the Advanced Options screen in GateKeeper (Save Registry, not save config) or the Advanced Options tool in the Start Menu.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by Pascal » May 16 06 3:24 pm
Sorry for the longer delay in working through this. The short answer is no, it applies only to the group.
You would need to look at which entity granted access. That is the one that will govern the policies applied. E.g. if the group policy would grant access the time restriction will apply to everyone who is a member of that group.
However, if the user policy also grants access to that site without the time restriction and that user access and it's hit first the time restriction will not apply, even if the user is in the group.
The way your policies are currently setup the two users you are restricting access for will have unrestricted access to the list of sites you've specified in their individual policy entries and will have access to the sites listed in their group's policy entry between 9 and 5.
What are you trying to setup that is causing you problems?
You would need to look at which entity granted access. That is the one that will govern the policies applied. E.g. if the group policy would grant access the time restriction will apply to everyone who is a member of that group.
However, if the user policy also grants access to that site without the time restriction and that user access and it's hit first the time restriction will not apply, even if the user is in the group.
The way your policies are currently setup the two users you are restricting access for will have unrestricted access to the list of sites you've specified in their individual policy entries and will have access to the sites listed in their group's policy entry between 9 and 5.
What are you trying to setup that is causing you problems?
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by daviesb7 » May 17 06 1:27 am
Thanks for that. I think I unsderstand now. The group time restriction applies only to the sites listed in that group policy. The members of the group have their own plolicy (without a time restriction) and that applies to the sites listed in the member policy.
What I'm trying :) to achieve is for the members to have access to their own site list and the sites of the group of which they are a member. I didn't want to repeat the time rtestriction for both group & member. I just wanted the group time restriction to apply so all... but thinking about it this would be inconsistent from a design point of view as the site list would have 1 scope whilst the time restriction would have a different scope.
Thanks for your time on this, I'll rework my policies now that I know..
cheers
Brian
PS - Great product by the way
What I'm trying :) to achieve is for the members to have access to their own site list and the sites of the group of which they are a member. I didn't want to repeat the time rtestriction for both group & member. I just wanted the group time restriction to apply so all... but thinking about it this would be inconsistent from a design point of view as the site list would have 1 scope whilst the time restriction would have a different scope.
Thanks for your time on this, I'll rework my policies now that I know..
cheers
Brian
PS - Great product by the way
- daviesb7
- Posts: 10
- Joined: Apr 27 05 8:22 pm
by ChrisH » May 17 06 2:13 am
I would suggest that by applying both the WWW policy for individual site access and a system policy for group related sites might achieve what you are looking for(If I read what you are trying to do correctly).
In WWW service policy create your individual users white lists with any other restrictions you want on an individual basis - time, location etc. for those users. Then in system policy create a group policy listing those servers you want to be whitelisted for the group and time restrictions etc for the group. Then in WWW policy apply Default rights (System policies) maybe used instead. Then if the site is allowed in WWW service (and meets other restrictions here - time etc.) OR allowed in System policy (and meets other restrictions here - time, user is a member of the group, etc.) user will see it. If the site is in neither list the user will not see it. So you could have two different time policies - one for individual white list and one for group whitelist.
Just a note of caution- any service that does not ignore the system policies could be affected by this type of policy structure. Also, the Everyone group in System policies could sidetrack you a bit as any new group is a subset of this group by default - or perhaps you could apply the group whitelist to Everyone.
In WWW service policy create your individual users white lists with any other restrictions you want on an individual basis - time, location etc. for those users. Then in system policy create a group policy listing those servers you want to be whitelisted for the group and time restrictions etc for the group. Then in WWW policy apply Default rights (System policies) maybe used instead. Then if the site is allowed in WWW service (and meets other restrictions here - time etc.) OR allowed in System policy (and meets other restrictions here - time, user is a member of the group, etc.) user will see it. If the site is in neither list the user will not see it. So you could have two different time policies - one for individual white list and one for group whitelist.
Just a note of caution- any service that does not ignore the system policies could be affected by this type of policy structure. Also, the Everyone group in System policies could sidetrack you a bit as any new group is a subset of this group by default - or perhaps you could apply the group whitelist to Everyone.
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
On a similar note
by daviesb7 » May 24 06 12:26 pm
Related question: If I have a user "Fred" who is in 2 groups "A" and "B" and both A and B have a policy where A states 'can access URL X' and B states cannot access URL X - how are the policies applied, i.e. which one has precedence? Is it the order in which they are displayed in the window?
- daviesb7
- Posts: 10
- Joined: Apr 27 05 8:22 pm
11 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 9 guests