End-system zones allow you to limit an ExtremeCloud IQ Site Engine user's access to end-system information and configuration based on end-system zone membership. Users are only authorized to view or control a subset of end-systems, delimited by zones.
End-system zones are configured and managed on the Control > Access Control tab, and are enforced for ExtremeCloud IQ Site Engine end-system information and configuration.
When an end-system authenticates to the network, Access Control rules are used to assign an Access Control profile and a zone to the end-system. This allows you to use a variety of rule components (such as End-System Groups, Location Groups, and User Groups) to determine the zone to which an end-system should be assigned.
A user's zone access is determined by the authorized zones that are assigned to the user group of which they are a member. User groups are created and configured in the Group Editor on the Control > Access Control tab, and authorized zones are assigned to each user group in the Edit User Group window.
When end-systems are filtered by zone, only authorized end-systems appear on the Control tab end-system views. ExtremeCloud IQ Site Engine users must have the appropriate capabilities to view end-system information or perform end-system operations, and then zone authorization lets them view and configure only a subset of end-systems based on zone.
ExtremeCloud IQ Site Engine also lets you use rule component groups as a way to limit a user’s access to rule group configuration operations in ExtremeCloud IQ Site Engine. Users are only authorized to view or make changes to a subset of rule component groups. Whenever a user initiates a change to a rule component group, such as adding or removing an end-system to or from a group, a check is performed to verify that the user is authorized to change that rule group.
| NOTE: | If you want to deny user access to ExtremeCloud IQ Site Engine end-system information (versus just limiting access), you must utilize authorization group capabilities, independent of the zone configuration. |
Preliminary Steps
Before you configure your end-system zones, plan the authorized end-system zones and authorized rule component groups for each of your ExtremeCloud IQ Site Engine user groups.
Plan Your End-System Zones
Create a worksheet that lists your end-system zones, the rules with which they will be associated, and the Access Control profile you will assign.
For example, the following table outlines the zones for an enterprise based on various business departments and their location.
| Rule Name | Rule Summary | NAC Profile | Zone |
|---|---|---|---|
| Salem Sales | End-systems in Salem Sales | Sales Profile | Salem Zone |
| Salem Engineering | End-systems in Salem Engineering | Engineering Profile | Salem Zone |
| Salem Test Lab | End-systems in Salem Test Lab | Lab Profile | Salem Zone |
| New York Sales | End-systems in New York Sales | Sales Profile | New York Zone |
| New York Engineering | End-systems in New York Engineering | Engineering Profile | New York Zone |
| New York Test Lab | End-systems in New York Test Lab | Lab Profile | New York Zone |
| Registered Guests | End-Systems in Registered Guests | Guest Access | Guest Zone |
| Default Catch-all | End-systems in catch-all | Quarantine Access |
Determine User Group Zone Authorization
Create a worksheet that lists your user groups and their authorized zones and rule component groups. ExtremeCloud IQ Site Engine users are assigned end-system zone and rule group authorization based on their user group membership. Before executing any end-system operation available in ExtremeCloud IQ Site Engine, the user's authorization to manage that end-system must be validated. Whenever a user initiates a change to a rule group, a check must be performed to determine if the user is authorized to change that rule group.
| NOTES: | Some operations modify several rule component groups.For example, adding an end-system to one rule group may delete that end-system from another group. In this case, the user must be authorized to change both groups. If an end-system has no zone, only unrestricted users can view it. |
Continuing the example above, the user group authorization worksheet might look like this:
| User Group | Authorized Zones | Authorized Rule Component Groups |
|---|---|---|
| ExtremeCloud IQ Site Engine Administrator | [unrestricted] | [unrestricted] |
| Salem Help Desk | Salem Zone, Guest Zone | Salem Sales, Salem Engineering, Salem Lab |
| New York Help Desk | New York Zone, Guest Zone | New York Sales, New York Engineering, New York Lab |
Configuring Zones in ExtremeCloud IQ Site Engine
Use the following steps to configure your end-system zones:
- Configure the end-system zones for your ExtremeCloud IQ Site Engine user groups:
- In ExtremeCloud IQ Site Engine, select Control > Access Control.
- In the left panel, select Configuration > Global & Engine Settings > Manage End System Zones.
- In Manage End-System Zones, select an ExtremeCloud IQ Site Engine user group in the list and select the Edit button.
- In Edit User Group, use the drop-down lists to configure the end-system zones that users in the group will be authorized to manage and the rule component groups that they will be allowed to modify.
- Close Edit User Group to return to Manage End-System Zones.
- Repeat these steps to configure all your user groups. Any changes made to a user group's capabilities do not take effect for the user until the next time they log in.
- Associate your zones with the appropriate Access Control rule.
- In the left panel, select Configuration > Configurations.
- In the left panel under Configurations, expand a configuration and select Rules.
- In the right panel, select the down arrow icon next to a column heading and select Columns > Zone checkbox to add a Zone column to the rule list.
- In the rule list, select a rule you want to associate with a zone.
- Select the Edit button to open the Edit Rule window.
- Scroll to the Actions section and select the button.
- In the Zone drop-down list, select a zone to associate with the rules. You may need to first add your zones by selecting New.
- Click Save. The zone name appears in the Zone column in the rule list.
- Perform these steps until all of your zones are associated with the appropriate rules.
For information on related help topics:
