This article explains the changes regarding unifying User Awareness users and SDP users into a single user identity.
Managing users and enforcing policies are a key component of an administrator's role in controlling user access. Over the next few weeks, Cato is enhancing how you manage users and enforce policies by unifying users into a single user identity. Currently there are User Awareness users and SDP users and they will be unified into a single user. This simplifies operations for administrators and increases visibility when applying policies.
This diagram summarizes the changes:
In an Internet Firewall policy, a User Awareness user is included in a rule that blocks access to gambling apps.
Currently, access to gambling apps are only blocked behind a site. To also block gambling apps remotely, you need to add the SDP User to the rule
With a single user identity, gambling apps are blocked behind a site or remotely
The single user identity includes several improvements for your account.
Currently there are two types of users in the Cato Management Application:
User Awareness users (Users) who can access the network behind a site
SDP users (SDP Users) who can access the network remotely
The single user identity in the Cato Management Application will be called User. This creates a more intuitive way to apply policies that keep your network secure.
Currently User Awareness users only have policies enforced when they connect behind a site, and SDP Users only have policies enforced when they connect remotely. For the same policy to apply behind a site and remotely, admins need to include both a User Awareness user and a SDP user.
With the single user identity, after you add a User to a policy, it will be enforced whether the user is located behind a site or remotely. This will provide consistent experience for managing users across the system and you will no longer have to manage two user types in all your policies and configurations.
Changes to User Groups
All existing user groups are updated to only include a single user identity.
For example, a user group previously contained two items for Anna Bay, SDP user and User Awareness user. After the enhancement, the user group contains a single user identity for Anna Bay. The policies are enforced for Anna Bay whether she is located at the office or working from home.
For the system group All SDP Users, policies are only enforced when working remotely. The polices are NOT enforced when the users are located at the office.
These are the new system user groups:
All Users - policies are enforced whether users in this group are located at the office or working remotely.
All Manual Users - Users created manually in the Cato Management Application (only for assigning licenses, can't use in policies)
All SCIM Users - Users provisioned from an IdP using SCIM (only for assigning licenses, can't use in policies)
All LDAP Users - Users provisioned from an IdP using LDAP (only for assigning licenses, can't use in policies)
Updates to SCIM and LDAP User Provisioning
These are the updates to how users are provisioned with both SCIM and LDAP.
A license is required for a user to connect to the network remotely. Licenses will no longer be assigned as past of user provisioning (SCIM or LDAP) but will be assigned and managed for Users and User groups from the new Access > License Assignment page. This increases visibility for administrators as they can manage licenses from a single page.
Users must be provisioned with an email address to be assigned a license, First Name and Last Name are not required fields.
Users are sent invitation emails after the license is assigned.
All users will be created without mandatory fields e.g., email address.
In Azure, users can authenticate with email or UPN depending on your Azure configuration.
There are two updates to how users are provisioned with LDAP.
Groups that you select will be synced automatically without needing to specify if the group is User Awareness users or SDP users