Skip to main content

Illumio Security Policy Guide 25.4

  • Illumio Security Policy Guide 25.4
  • Adaptive User Segmentation

Adaptive User Segmentation

Illumio's Adaptive User Segmentation (AUS) allows you to leverage Microsoft Active Directory User Groups to control access to computing resources in your organization. With this feature, you can create user groups in the PCE that map directly to your Active Directory Groups.

Overview of Adaptive User Segmentation

You can then create rules using these groups to control outbound access on specific workloads, such as a VDI desktop, based on the user's group membership logged in to that workload.

For example, you may want to restrict access to the ERP application to only employees in the Sales user group and not to users in the HR department. You may also wish to allow HR users to access only HR applications, but not all internal resources.

If you have a Windows workload that controls access to other resources in your network, such as a VDI desktop with the VEN installed, you can add the VDI desktop workload and Active Directory User Groups to the rule. Writing this type of rule allows user access only to the resources explicitly allowed by the rules.

Add Active Directory User Groups

  1. From the PCE web console menu, choose Policy Objects > User Groups.

  2. On the User Groups page, click Add.

  3. On the User Group page, enter the name, system identifier (SID), and description of the Active Directory Group.

  4. Click Save.

    The new Active Directory Group appears in the User Groups list. You can now use the user group in a policy to control access to specific workloads.

Note

A maximum of 100 User Groups can be displayed.

User Group-Based Rules for AUS

  1. From the PCE web console menu, select Policies.

  2. In the Policies list, click Add.

  3. Choose to create a policy from scratch, and enter a name and description for the policy.

  4. Select an Application, Environment, and Location label to define the policy scope.

  5. Click Add Rule and select the rule type:

    Figure 1. Add Rule
    Add Rule


  6. In the Destinations drop-down list, select the user group to which you want to provide access to the other workload.

  7. From the Source drop-down list, select the workloads or labels to which you want to grant a user group access.

  8. In the Services drop-down list, select the service you want the user groups to access on the provided workloads.

  9. Click the Save icon at the end of the row.

  10. Provision the changes