Adaptive User Segmentation

Illumio's Adaptive User Segmentation (AUS) allows you to leverage Microsoft Active Directory User Groups to control access to computing resources in your organization. With this feature, you can create user groups in the PCE that map directly to your Active Directory Groups.

Overview of Adaptive User Segmentation

You can then write rules with these groups so that you can control outbound access on specific workloads—such as a VDI desktop—based on the group membership of the user logged in to that workload.

For example, you might want to allow only employees in the Sales user group to access the ERP application, but not users in HR. You might want to allow HR users to only access HR applications, but not all internal resources.

If you have a Windows workload that controls access to other resources in your network, such as a VDI desktop that has the VEN installed on it, you can add both the VDI desktop workload and Active Directory User Groups to the rule. Writing this type of rule allows user access only to the resources that are explicitly allowed by the rules.

This type of rule is represented in the image below, where the VDI desktop and AD User Group are added as the consumers of a ruleset, and entities that these user groups are allowed to access are added as providers:

Add Active Directory User Groups

  1. From the PCE web console menu, choose Policy Objects > User Groups.
  2. In the User Groups page, click Add.
  3. In the Add User Group page, enter a name, system identifier (SID), and description for the Active Directory Group.

  4. Click Save.

    The new Active Directory Group appears in the User Groups list. You can now use the user group in a ruleset to control access to specific workloads.

NOTE:

A maximum of 100 User Groups can be displayed.

User Group-Based Rules for AUS

  1. From the PCE web console menu, choose Rulesets and Rules.
  2. In the Rulesets list, click Add.
  3. Enter a name for the ruleset.
  4. Select an Application, Environment, and Location label to define the ruleset scope.

  5. Click Save.

    In the Rules for Scopes section, you can start writing identity-based rules.

  6. From the Providers drop-down list, select the workloads or labels that you want to provide access to by a user group.
  7. In the Providing Services field, select the service that you want the user groups to be able to access on the providing workloads.
  8. For consumers, select the workload that your users need to access in order to control access to other workload resources in your organization.
  9. In the Consumers field, select the user group that you want to provide access to the other workload.
  10. Click Add.

  11. Click Save.

    To enact these changes on the workloads this ruleset affects, provision your changes. See Provision Changes for more information.