Adaptive User Segmentation

Illumio's Adaptive User Segmentation (AUS) allows you to leverage Microsoft Active Directory User Groups to control access to computing resources in your organization. With this feature, you can create user groups in the PCE that map directly to your Active Directory Groups.

Overview of Adaptive User Segmentation

You can then write rules with these groups so that you can control outbound access on specific workloads—such as a VDI desktop—based on the group membership of the user logged in to that workload.

For example, you might want to allow only employees in the Sales user group to access the ERP application, but not users in HR. You might want to allow HR users to only access HR applications, but not all internal resources.

If you have a Windows workload that controls access to other resources in your network, such as a VDI desktop that has the VEN installed on it, you can add both the VDI desktop workload and Active Directory User Groups to the rule. Writing this type of rule allows user access only to the resources that are explicitly allowed by the rules.

This type of rule is represented by an icon, where the VDI desktop and AD User Group are added as the consumers of a ruleset, and entities that these user groups are allowed to access are added as providers.

Add Active Directory User Groups

  1. From the PCE web console menu, choose Policy Objects > User Groups.
  2. In the User Groups page, click Add.
  3. In the Add User Group page, enter a name, system identifier (SID), and description for the Active Directory Group.

  4. Click Save.

    The new Active Directory Group appears in the User Groups list. You can now use the user group in a ruleset to control access to specific workloads.

NOTE:

A maximum of 100 User Groups can be displayed.

User Group-Based Rules for AUS

  1. From the PCE web console menu, choose Rulesets and Rules > Rulesets.
  2. In the Rulesets list, click Add.
  3. Enter a name for the ruleset.
  4. Select an Application, Environment, and Location label to define the ruleset scope.

  5. Click Save.

    In the Rules section, you can start writing identity-based rules.

  6. If necessary, expand the Intra-Scope Rule section.
  7. In the Consumers drop-down list, select the user group that you want to provide access to the other workload.
  8. From the Providers drop-down list, select the workloads or labels that you want to provide access to by a user group.
  9. In the Services drop-down list, select the service that you want the user groups to be able to access on the providing workloads.
  10. Click the Save icon at the end of the row.
  11. To add additional rules to the ruleset, Click the Add (+) icon.

To enact these changes on the workloads this ruleset affects, provision your changes. See Provision Changes for more information.