After synchronizing your directory with Cloud Identity Engine (CIE) you are now able to create groups of users within the CIE console. Users can be added to a group indefinitely or for specific time periods. These groups are never sent back to the directory and are exclusively for use on the Palo Alto Networks platform.
As organizations grow, the need for specialized work increases. Tasks that used to take a fraction of one person’s time start to take up enough of their time that they need to hire someone to help. Over time, this grows into entire teams required to manage increasingly complex tasks and to serve additional teams within the organization. This, ironically, leads to even greater demand on the internal team and longer response times. If this sensation is familiar to you, you’ll likely relate to some of the customers I’ve spoken to.
“We have physical NGFW in both of our data centers as well as Prisma Access to secure our more than 300 remote networks across North America. Like all manufacturers we are really thoughtful about how we lockdown branch access to specific users as well as track their activities - especially 3rd parties like OT equipment vendors who we only want to provide access to for a specific amount of time.
As a networking team we don’t have access to the company’s directory and we cannot make our own groups that are required to apply the granular security policy to achieve Zero Trust.”
Groups within organizations are overwhelmed not only with their day-to-day roles but also with ensuring they provide high-quality service to their colleagues internally. We can see this clearly in the quote above. This specific person is trying to manage and secure a massive network, taking weeks or months to gain what they need right now, and they lack the tools to drive their own goals. That was, until On Demand Group Assignment was released on the Cloud Identity Engine.
The introduction of On Demand Group Assignment in the Cloud Identity Engine has put the power into the networking team’s hands to create and manage groups of users without needing to wait weeks or months for the identity team to create them.
“With On Demand groups in Cloud Identity Engine we can now whip out a new group as soon as we see a change in behavior on the network and we’re a lot further along with Zero Trust to boot.”
When you create an On Demand group you are selecting users from the list of all users in your organization that you have synchronized with the Cloud Identity Engine. When you select a user to put in a group, they will remain there until you remove them; Unless you add a “Time Duration” to the user. With the Time Duration you can add users to a group for a period of one day up to 180 days (6 months). Once that time has passed, they will automatically be removed from the group.
These groups and their membership are not synchronized with the identity provider so you don’t need to worry that the groups you are creating will appear in places outside of the Palo Alto Networks platform confusing and frustrating identity and directory teams.
For both new and existing customers the process to create your first On Demand group is the same.
Follow our documentation to:
Once the users are added and their time duration is assigned, the next time Cloud Identity Engine performs a delta synchronization with your directory service the On Demand User Group will be populated.
Please find more information on the techdocs page here.
