After synchronizing your directory with Cloud Identity Engine (CIE), you can create user groups in the CIE console. Use attribute-value pairs with operators like "contains," "starts with," and exact matches, and combine them with and/or operators. Additionally, user risk data from Entra ID (formerly Azure AD) can be used in the matching criteria. These groups are only for use in the Palo Alto Networks platform and are not sent back to the directory.
To adhere to Zero Trust principles, policies must be based on usernames and groups instead of IP addresses. User-based policies and least privilege access policies provide greater security by ensuring consistent policy application regardless of login location, and by granting users access only to the resources necessary for their roles.
To implement these policies, enforcement points like Next-Generation Firewalls or Prisma Access need to collect user information and groups from a directory source. The Directory Synchronization feature in the Cloud Identity Engine simplifies this process, providing a unified interface to retrieve the necessary data for zero trust policy enforcement.
However, there remains a challenge, as illustrated by a customer's experience:
“We [a large entertainment company] purchased many smaller businesses over the last ten years. When we integrated their directory services we didn’t enforce consistency across them all. To create a group that contained users with a specific role across all of the purchased businesses, the identity team required the security and networking teams to undergo a process that often took months.”
Waiting weeks or months for user group creation is impractical. We developed attribute-based dynamic user groups to address this challenge by leveraging information already shared with the Cloud Identity Engine. Once your directory is synchronized, the collected user attributes can be used to create new groups within the Cloud Identity Engine for platform-wide use.
“With Attribute Based Dynamic User Groups we’re now able to make our own groups based on multiple attributes in minutes and will often test out groups for some time to make sure they’re capturing the right people before putting them in policy.”
You can create groups using attribute-value pairs synchronized from the connected directory, employing operators like "contains," "starts with," and exact matches. These pairs can be combined using AND/OR operators. User risk data from Entra ID is also available for use in the matching criteria. As attribute values change, users are automatically added or removed from the groups, and these changes are communicated to NGFW and Prisma Access.
For both new and existing customers the process to create your first Attribute-based group is the same.
Follow our documentation to:
Once the group is created the users will be added the next time Cloud Identity Engine performs a synchronization with the directory service and the group will be available for use in policy.
Please find more information on the Tech Docs page here.
