Tutorial: Use Zero Trust Access
-
- UpdatedAug 3, 2023
- 3 minutes to read
- Vancouver
- Platform Security
Procedure to use zero trust access feature with an end-to-end use case.
Before you begin
Role required: security_admin
Enable the Enable Session Access property.
- Session Access configurations can only be performed with security_admin role. You must elevate your role to security_admin.
- Session Access is a web only feature and doesn’t support mobile app logins.
- Session Access doesn’t support integrations.
- Session Access has not impact, if the reduced or limited role isn’t assigned to a user, then there are no changes to the logged in session. User will still continue to access the instance with their assigned privileges.
- Session Access has no impact, while the user is already logged in to the instance and simultaneously the admin configures the policy. The user has to log out from the session for the policy to be effective.
- Session Access is enforced at the time of login. Any change in risk parameters during the session won’t result in reduced access. For example, A user switching from corporate network to untrusted network after establishing the session, won’t result in reduced access. Unless the user logs out and logs in again.
Session Access is a feature that enables the administrators to dynamically reduce or restrict a set of roles to the user, when the user is trying to log in to the instance from different environments such as log in from the untrusted network, login from a different device, and so on
Session Access can be controlled by the created policy and selected action when performing the configuration. Some of the scenarios are as follows:
- If the Policy is true, and the roles action is set to Remove Roles, then the selected roles and its associated child roles are removed for the user when trying to log in to the instance.
- If the Policy is true, and the roles action is set to Limit To Roles, then only the selected roles and its associated child roles are assigned to the user when trying to log in to the instance.
The following procedure explains an end-to-end configuration of session access configuration based on which the role is limited to the user who is logging in to the instance. Similarly you can also remove roles by selecting the Remove Roles option during the configuration.
Procedure