Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 2102 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS - netsted groups

Avi Bar Ilan

Hi

in our active directory environment,

we are using role based administration, meaning we are using heavily nested groups for all our users.

(e.g we are adding users to a single group and all required permissions etc are populated from the nested groups that are members in this one up level group)

when we implemented stas, and active directory integration in sophos xg, we have imported the relevant, dedicated groups that are nested groups (not the up level groups)

but it seems like sophos is not getting or receiving any logon event from stas.

is nested groups even supported in sophos xg?



This thread was automatically locked due to age.
Parents
  • +1

    Technical, the answer is yes.

    https://community.sophos.com/kb/en-us/123161

     

    XG only uses One Primary Group. This can be a nested Group as well. But you have to import this certain group. 

    With a Authentication Request (like STAS, User Portal etc.) XG will decide, which Group it will take, first match matters. 

    And this rule will take place for nearly all modules in XG like Firewall Policy matching.

    Except Web proxy, the Web Proxy will perform another lookup and check the AD again, if there are "other Groups". But you will not see those Groups. 

     

    To be honest, this is more likely a good approach to this setup. If you would support nested groups / multiple groups per User, this firewall "Layer 8" concept will get messy. 

Reply
  • +1

    Technical, the answer is yes.

    https://community.sophos.com/kb/en-us/123161

     

    XG only uses One Primary Group. This can be a nested Group as well. But you have to import this certain group. 

    With a Authentication Request (like STAS, User Portal etc.) XG will decide, which Group it will take, first match matters. 

    And this rule will take place for nearly all modules in XG like Firewall Policy matching.

    Except Web proxy, the Web Proxy will perform another lookup and check the AD again, if there are "other Groups". But you will not see those Groups. 

     

    To be honest, this is more likely a good approach to this setup. If you would support nested groups / multiple groups per User, this firewall "Layer 8" concept will get messy. 

Children