User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Web Security Appliance S170

131

132

133

134

135

136

137

138

139

140

POLICY GROUP MEMBERSHIP

CHAPTER 6: WORKING WITH POLICIES 113

POLICY GROUP MEMBERSHIP

All policy groups define which transactions apply to them. When a client sends a request to a

server, the Web Proxy receives the request, evaluates it, and determines to which policy group

it belongs. The Web Proxy applies the configured policy control settings to a client request

based on the client request’s policy group membership.

Transactions belong to a policy group for each type of policy that is enabled. If a policy type

has no user defined policy groups, then each transaction belongs to the global policy group

for that policy type.

Policy group membership for a Routing, Decryption, Access, Data Security, and External DLP

Policies is based on an Identity and optional additional criteria. That means that the Web

Proxy evaluates Identity groups before the other policy types. The Web Security appliance

allows you to define some membership criteria at either the Identity level or the non-Identity

policy level. For more information, see “Policy Group Membership Rules and Guidelines” on

page 115.

Suppose you define an Identity by subnet 10.1.1.0/24 and then create an Access Policy using

that Identity. The Access Policy membership applies to all IP addresses specified in the

Identity by default. You can then choose to configure the Access Policy membership so that it

applies to a subset of the addresses defined in the Identity, such as addresses 10.1.1.0-15.

For more information defining membership for each policy type, see the following sections:

• “Evaluating Identity Group Membership” on page 127

• “Evaluating Access Policy Group Membership” on page 152

• “Evaluating Decryption Policy Group Membership” on page 201

• “Evaluating Routing Policy Group Membership” on page 173

• “Evaluating Data Security and External DLP Policy Group Membership” on page 219

Authenticating Users versus Authorizing Users

The Web Security appliance separates where it authenticates users from where it authorizes

users.

Authentication is the mechanism by which the Web Proxy securely identifies a user. It

answers the following questions:

• Who is the user?

• Is the user really whom he/she claims to be?

Authorization is the mechanism by which the Web Proxy determines the level of access the

user has to the World Wide Web. It answers the following questions:

• Is this user allowed to view this website?

• Is this user allowed to connect to this HTTPS server without the connection being

decrypted?