Assign SIA policy
After you create a policy, you can assign a policy to the following SIA features:
- Locations and sub-locations.
- Zero Trust Client or ETP Client traffic. If your organization uses Zero Trust Client or ETP Client, you can override the policy that’s set for the location and select a policy that’s applied only to client traffic when the client is on the corporate network. You can also select a policy for off-network client traffic.
- User groups that are associated with a directory. If your organization uses Zero Trust Client 6.0 and is licensed for Enterprise Application Access, you can associate SIA policy to a specific user group in a directory. This feature is currently in limited availability.
To learn how these policies are prioritized in case of conflicts, see Priority of SIA policies.
Location and sub-location policy
A location identifies the network or the regions in your network where Internet traffic originates from. You can configure locations with static IP addresses or CIDR blocks, dynamic DNS host for dynamic IP addresses, or with the IKE ID and public shared key (PSK) of an IPsec tunnel.
A sub-location represents a segment in your network that’s routed to the Internet with the same IP as the parent location. You can assign a different policy to a location and its sub-locations, allowing you to define granular access to segments of your network.
To learn more about locations, see About locations.
To assign a policy to a location or sub-location, see Assign a location policy and Assign a policy to a sub-location.
Zero Trust Client or ETP Client policy
In a location configuration, you can choose to override the location policy for client traffic. This option lets you pick a policy for client traffic when the client is on the corporate network. To assign a policy to on-network client traffic, see Override location policy for the client.
You can assign a separate policy for client traffic that’s off the corporate network. For more information, see Assign a policy to the off-network location.
User group policy
You can apply a policy to a specific directory group or a collection of directory groups if your organization meets these requirements:
- Deploys Zero Trust Client 6.0. This feature only applies to traffic that arrives from Zero Trust Client (ZTC) 6.0. ZTC combines and improves upon the functionality of EAA Client and ETP Client to provide a one-stop solution where you can secure access to enterprise applications and protect your network from threats. To learn more about the client, see the Zero Trust Client documentation.
- Account includes Enterprise Application Access. Your organization's Control Center account must also include the Enterprise Application Access product.
- Uses identity providers. Identity providers and its associated directory are required for this implementation.
This configuration is completed from the Groups tab on the Locations page. After you select the identity provider, you can then choose the directory, any group or groups in that directory, and the policy you want to apply.
Note the following:
- You can select one group or multiple groups for each policy assignment.
- You cannot assign different policies to the same user group. After you select a group or multiple groups and assign them to a policy, the group or groups are longer available for you to select in another group policy assignment.
- The policy you select cannot be assigned to a location or sub-location.
- If a user group does not have a specific policy assigned as part of this feature, then SIA policy is applied through your location configuration or other areas of your setup where an administrator assigned a policy.
- SIA supports a maximum of 500 group policy assignments. This is the combined limit across all the directories selected for this feature.
To assign a policy to a directory group, see Assign a policy to a directory group.
The ability to assign a policy to a directory group is currently in limited availability. To use this feature, contact your Akamai representative.
In a policy, you can also configure the specific users and groups that are allowed to access websites and web applications. To learn more, see Application visibility and control.
Assign a policy to a directory group
Complete this procedure to assign SIA policy to specific directory user groups. This feature is currently in limited availability.
Before you begin:
- Make sure you’ve created the policies that you want to use for this configuration. For more information, see Create a policy.
- Make sure you’ve set up identity providers in SIA and associated directories to these identity providers. A directory configuration is required for this feature. For more information, see Manage an identity provider.
- Make sure you’ve set up and deployed Zero Trust Client 6.0. This version of the client is currently in limited availability. For instructions, see the Zero Trust Client documentation.
To assign a policy to a directory group:
- In the Threat Protection menu of Enterprise Center, select Locations.
- Click the Groups tab.
- Click Select identity provider.
- From the identity provider menu, select an identity provider and click Select identity provider.
- In the directory column, select a directory.
- Click the link icon and select a group or multiple groups. Click Associate.
- In the policy menu, select the policy that you want to assign to the selected group or groups.
- If you want to assign a different policy to a different user group, complete these steps:
- Click Add groups condition.
- Click the link icon and select a group or multiple groups. Click Associate.
- In the policy menu, select the policy that you want to assign.
- Click the check mark icon to save the group policy assignment or assignments.
Next Steps:
Deploy group policy assignment or assignments to the SIA network.
- Click Pending Changes and in the Group Policy list of changes, select the changes that you want to deploy.
- Click Deploy.
- Enter a description of the changes and click Deploy.
Updated 7 months ago