Using User Identity in TOS

Overview

User Identity lets you use user identity elements, such as LDAP groups, in the Source field of an access request. This adds next-generation firewall (NGFW) capabilities to your Access Request workflow. For example, to define an access request from the Human Resources department to a site with sensitive data, you can use an LDAP group like @hr_dept in the Source field.

In SecureChange, all Access Request workflow tools support User Identity. This includes Auto Suggest Target, Risk Analysis, Designer, and Verifier. In SecureApp you can use user identity elements in the Source field when defining a connection.

Tufin supports User Identity on all devices in TOS.

  • On devices that support user identity elements natively in firewall rules (Panorama Advanced, FortiManager, and Check Point), the tools use the identity elements from the access request.

  • On other devices, the tools replace the identity elements with IP subnets from the Users Networks zone in SecureTrack. This zone includes all subnets where users connect to your network. (See Managing the Users Networks Zone.)

Tufin REST API also supports user identity elements in access request tickets.

Prerequisites

  • Configure SecureTrack to connect to the LDAP directory that you want to use for User Identity. See Configure User Identity.

  • For devices that do not natively support using LDAP groups in firewall rules, configure the Users Networks zone with all IP addresses or subnets from which users connect to your network. (See Managing the Users Networks Zone.)

Create an Access Request

The requester can add LDAP groups in the Source field of an Access Request. These groups appear as @<name of the LDAP group>, for example @auto.adminGroup. Hover on the LDAP group to see the Distinguished Name (DN) that uniquely identifies the entry.

You can either select the LDAP group from the Object Browser or type the group name in the Source field using free text. API users can add LDAP-related fields in POST and PUT requests.

Add LDAP Group Using Object Browser

  1. In a SecureChange access request ticket, click the Object Browser icon in the Source field.

    The Advanced Options window appears.

  2. In the Source list, select LDAP.

  3. Click Add for each LDAP group that you want to add as a source in the access request.

  4. Click OK.

Add LDAP Group Using Free Text

  1. In the Source field of an access request, type @<name of the LDAP group> (for example @hr_dept).

  2. Click OK.

Add LDAP Group Using API

In POST and PUT requests for API Ticket objects, you use the ldap_entity_name, ldap_entity_id, or ldap_entity_dn fields in the SourceDTO object. SecureChange verifies these values, and if they are valid, the LDAP group appears in the access request.

You can also retrieve these values in a GET request. See the SourceDTO object in the API Ticket documentation.

Handle an Access Request

The handler sees the user identity elements (such as LDAP groups) specified by the requester in all steps of the workflow that contain the Access Request field (for example, @hr_dept).

For devices that support user identity elements natively in firewall rules (Panorama Advanced, FortiManager, and Check Point), TOS automation tools resolve the elements to their Distinguished Name (DN) from the LDAP directory.

Example: Designer rule with user identity elements resolved to DN.

For all other devices, TOS substitutes the user identity elements with the IP subnets defined in the Users Networks security zone in SecureTrack.

Example: In Designer, the Source field shows only IP subnets.

Designer recommendations for implementing the Access Request will include all subnets listed in the Users Networks zone. The recommendation might therefore include additional subnets beyond the requested LDAP group.