Understanding the Single User Identity

This article explains the changes regarding unifying User Awareness users and SDP users into a single user identity.

Overview

Managing users and enforcing policies are a key component of an administrator's role in controlling user access. Over the next few weeks, Cato is enhancing how you manage users and enforce policies by unifying users into a single user identity. Currently there are User Awareness users and SDP users and they will be unified into a single user. This simplifies operations for administrators and increases visibility when applying policies.

This diagram summarizes the changes:

Screenshot_2023-04-04_at_14_55_25__1_.png

Use Case - Enforcing an Internet Firewall Policy

In an Internet Firewall policy, a User Awareness user is included in a rule that blocks access to gambling apps.

  • Currently, access to gambling apps are only blocked behind a site. To also block gambling apps remotely, you need to add the SDP User to the rule

  • With a single user identity, gambling apps are blocked behind a site or remotely

Understanding the Improvements to your Account

The single user identity includes several improvements for your account.

User Awareness Users and SDP Users are Unified into a Single Identity

Currently there are two types of users in the Cato Management Application:

  • User Awareness users (Users) who can access the network behind a site

  • SDP users (SDP Users) who can access the network remotely

The single user identity in the Cato Management Application will be called User. This creates a more intuitive way to apply policies that keep your network secure.

All Users Included on the Users Directory Screen

All users in your account will be shown on the Users Directory screen with a clear indication of users that have a license. This provides a single location for visibility of all your users.

Users_Directory.png

Policies are Enforced Wherever the User Connects

Currently User Awareness users only have policies enforced when they connect behind a site, and SDP Users only have policies enforced when they connect remotely. For the same policy to apply behind a site and remotely, admins need to include both a User Awareness user and a SDP user.

FW_Rule.png

With the single user identity, after you add a User to a policy, it will be enforced whether the user is located behind a site or remotely. This will provide consistent experience for managing users across the system and you will no longer have to manage two user types in all your policies and configurations.

One_user.png

Changes to User Groups

  • All existing user groups are updated to only include a single user identity.

    For example, a user group previously contained two items for Anna Bay, SDP user and User Awareness user. After the enhancement, the user group contains a single user identity for Anna Bay. The policies are enforced for Anna Bay whether she is located at the office or working from home.

  • For the system group All SDP Users, policies are only enforced when working remotely. The polices are NOT enforced when the users are located at the office.

  • These are the new system user groups:

    • All Users - policies are enforced whether users in this group are located at the office or working remotely.

    • All Manual Users - Users created manually in the Cato Management Application (only for assigning licenses, can't use in policies)

    • All SCIM Users - Users provisioned from an IdP using SCIM (only for assigning licenses, can't use in policies)

    • All LDAP Users - Users provisioned from an IdP using LDAP (only for assigning licenses, can't use in policies)

Assigning a License From the New License Assignment Screen

A license is required for a user to connect to the network remotely. Licenses will be assigned and managed from the Access > License Assignment screen. This increases visibility for administrators as they can manage licenses from a single screen.

Users must be provisioned with an email address to be assigned a license. This is the same as the current behavior for assigning a license.

License_Assignment.png

Updates to LDAP Provisioning

There are two updates to how users are provisioned with LDAP.

Importing Active Directly Groups

Groups that you select will be synced automatically without needing to specify if the group is User Awareness users or SDP users

LDAP_Groups.jpg
No Mandatory Fields

All users will be created without mandatory fields e.g., email address.

Identify Manually Created Users

You will be able to identify manually created users behind a site using the Cato Identity Agent. Users are required to authenticate once.

Was this article helpful?

2 out of 2 found this helpful

0 comments

Add your comment