HTTP Proxy - Multiple Groups Per User Help

[mat1_8]

Hi,

I want to configure the HTTP proxy to be able to work with multiple groups per user. I am facing a difficulty since each group has different policies.

For example lets take the below scenario:

Group Basic - can access any website except Social Networking, Webmail and Online Shopping
Group Social Networking - can access all of the Group Basic + Social Networking
Group Webmail - can access all of the Group Basic + Webmail
Group Online Shopping - can access all of the Group Basic + Online Shopping

User 1 - can access Group Basic Only
User 2 - can access Group Basic + Social Networking
User 3 - can access Group Basic + Social Networking + Webmail
User 4 - can access Group Basic + Online Shopping + Webmail

As you can see from the examples above, each user is a member of different groups that each have different policies. The problem is that if I put Group Basic as the FIRST policy, other users that are members of the other three groups and which are all members of the Group Basic cannot access Facebook, Gmail etc... Reason being since these are being blocked by the Group Basic policy. In such case, do I need to create all the different combinations of groups and users? Don't know if Zentyal would be able to compare two different groups and decide if the website will be blocked or allowed? Thanks

[mat1_8]

Bump

[robb]

I am not a real expert on firewalls, but I understood it like this:
I think you should take care of the order you set your policies.
As soon there is a match for a rule, all other rules are not taken into account anymore.

example facebook:
You create a rule for 'all': deny facebook
You create a rule for 'group facbook': since facebook already is denied by 'all' this rule is not being executed.

So you should first create a rule to allow the facebookgroup to use facebook, then deny all to use facebook.

[mat1_8]

Hi Robb,

You have answered my question to the full. That's exactly what's happening in fact. When Zentyal matches the first rule, it does not check the other other rules too. My thinking was if Zentyal would be able to match two rules together on separate groups. I will wait for others maybe there is a solution but doesn't look like it.

[jbahillo]

Hello: I'm afraid that's not "zentyal " itself can do, as the upstream software for proxy (squid) works as robbsaid

Thus you should not  expect Zentyal to do so.

The only solutions id, if you need a particular group of users to have applied two policies, to create a new group/object for this users, and a new policy (being this the sum of the two policies applied)

Based on your example:

Group Basic
Group Social Networking
Group Webmail
Group Online Shopping
Group Shopsocial
Group Shopwebmail
Group Socialwebmail
Group All





Policy Basic can access any website except Social Networking, Webmail and Online Shopping
Policy Social  configured as  of Basic without Social Networking restrictions
Policy Webmail configured as  of Social without Webmail restrictions
Policy Shopping configured as  of Social without shopping restrictions
Policy Shopsocial as of Basic without Social Networking, nor shopping restrictions
Policy Shopwebmail as  of Basic without webmail, nor shopping restrictions
Policy Socialwebmail as of Basic without webmail, nor social restrictions
Policy All configured as of Basic without Social Networking, nor webmail, nor shopping restrictions


I know this is not as handy as having using acumulative groups permissions, but at leat you will be able to set up the permissions you need

[mat1_8]

Thanks a lot jbahillo so in that case we can still work something out .