Creating Security Groups

Procedure

1. Choose Object > User.
2. Select an authentication domain for which the user group is created. By default, only the default authentication domain is available.
3. In User/User Group/Security Group Management List or Manage Users by Organizational Structure, click Add and select Add Security Group.
4. Set parameters for the security group.

   Parameter	Description
   Name	Name of a security group
   Description	Description of a security group The description must clearly indicate the function of the security group to make it easy to find and maintain.
   Security Group	Parent group of a security group Click Select. In Available, select the parent group of the specified security group, add it to Selected, and click OK.
   Security Group Type	Set the security group type to static or dynamic.
   Members	In Available, select an existing user or security group and add it to Selected. This parameter is available only when Security Group Type is set to Static.
   Filtering Conditions	Set the user filtering conditions for a dynamic security group. Then users that meet the specified filtering conditions on the Sun ONE LDAP and MS Active Directory servers will be selected as members of the dynamic security group. You can configure a maximum of five filtering conditions for each dynamic security group. In Filtering Conditions, click Add. Set Server Type to Sun ONE LDAP or MS Active Directory. In Attribute List, click Add. Enter Attribute, select Operator, enter a value in Value, and click OK. NOTE: For the attributes and values in a filtering condition, double quotation marks (") cannot exist at the same time as spaces or question marks (?). Click Verify, select an authentication server, and click Start. This operation can detect the configured filtering conditions on the specified server in real time. This parameter is available only when Security Group Type is set to Dynamic.
   Enable account sharing for this group	This parameter permits multi-IP login from users in a security group in a batch. That is, all user accounts of the security group can be shared and allowed to log in from multiple computers (IP addresses) concurrently. If you do not select this parameter, the user accounts of the security group can be used to log in only from one computer (IP address) at a time. When detecting that an account is already online, the FW takes either of the following actions: Forces the online user to log out. Authentication on the current IP address succeeds. Prompts the online user with a message that the account is being used at another IP address and does not log out the online user. Authentication on the current IP address fails. Choose Object > User > Authentication Option > Local Portal. In Authentication Conflict Setting, you can view and modify the actions to take. NOTE: Temporary users are not controlled by the multi-IP login attribute of the user group or security group to which they go online. The device always allows temporary users to log in using multiple IP addresses.
   Enable Configuration Inheritance	If the parameter is selected, the Enable account sharing for this group setting takes effect on users of the security group and its sub-security groups. If this parameter is not selected, the Enable account sharing for this group setting takes effect on new users of only the security group, but for users in the security group and its subgroups, the setting does not take effect. The settings take effect only once and are not saved into the configuration file. That is, the settings do not apply to the new subgroups or new users.

5. Click OK.