Skip to main content

Security Policy Guide 25.2.10

Adaptive User Segmentation

Illumio's Adaptive User Segmentation (AUS) allows you to leverage Microsoft Active Directory User Groups to control access to computing resources in your organization. With this feature, you can create user groups in the PCE that map directly to your Active Directory Groups.

Overview of Adaptive User Segmentation

You can then create rules using these groups to control outbound access on specific workloads, such as a VDI desktop, based on the user's group membership logged in to that workload.

For example, you may want to restrict access to the ERP application to only employees in the Sales user group, but not to users in the HR department. You may wish to allow HR users to access only HR applications, but not all internal resources.

If you have a Windows workload that controls access to other resources in your network, such as a VDI desktop with the VEN installed, you can add both the VDI desktop workload and Active Directory User Groups to the rule. Writing this type of rule allows user access only to the resources that are explicitly allowed by the rules.

Add Active Directory User Groups

  1. From the PCE web console menu, choose Policy Objects > User Groups.

  2. On the User Groups page, click Add.

  3. In the User Group page, enter a name, system identifier (SID), and description for the Active Directory Group.

  4. Click Save.

    The new Active Directory Group appears in the User Groups list. You can now use the user group in a policy to control access to specific workloads.

Note

A maximum of 100 User Groups can be displayed.

User Group-Based Rules for AUS

  1. From the PCE web console menu, select Policies.

  2. In the Policies list, click Add.

  3. Choose to create policy from scratch, and enter a name and description for the policy.

  4. Select an Application, Environment, and Location label to define the policy scope.

  5. Click Add Rule and select the rule type:

  6. From the Source drop-down list, select the workloads or labels that you want to provide access to by a user group.

  7. In the Services drop-down list, select the service that you want the user groups to access on the provided workloads.

  8. Click the Save icon at the end of the row.

  9. Provision the changes