User groups locally defined in Netskope

  • 21 November 2022
  • 6 replies
  • 64 views

Badge +11

User groups locally defined in Netskope.


Hello good evening everyone, thanks for the collaboration and your time.


Reviewing the documentation and so far from what is indicated in the documentation, it indicates Active Directory or LDAP groups and / or, Organizational Units ( OU ) but I have not seen, for environments where you do not have AD, to manage groups say local, ie with locally defined users, to generate local groups and associate accounts in a personalized way and at the same time to generate policies based on these custom local groups.
Is this technically feasible in Netskope ?


Thank you, best regards


6 replies

Userlevel 4
Badge +12

I've asked for this numerous times, over the past 2 years. This feature would save massive amounts of headaches in targeting certain users without going through all the headaches of AD/Okta groups (those also take time to sync). It would also allow us to add in non-okta users (contractors) with there own groups. This would be such a huge win for customers.

Badge +4

Overview

Netskope has a standard SCIM API which can be used to create and manage custom groups and users within Netskope. This is how Azure AD, Okta, OneLogin, etc. manage users and groups. Keep in mind that any changes made within Netskope using the SCIM API would not be synced back to an identity source (e.g. Azure AD, Okta, etc.), which is why Netskope generally recommends using a standard SCIM-based identity solution.

Public Documentation for Creating a SCIM Token

https://docs.netskope.com/en/scim-based-user-provisioning.html

Public Documentation and Examples for Managing SCIM via API

https://documenter.getpostman.com/view/7998136/SVfNwVFT?version=latest#3c4f2b33-fa5f-4ab8-b7bb-363043750757

Badge +11

@dtavernier

Hello, good evening:

Thank you for your reply and for your time

Mostly for clarification, there is no standard way to create example X netskope users based on mails, e.g.

usersales01@contoso.com, usersales02@contoso.com
userit01@contoso.com, userit02@contoso.com
usermerketing01@contoso.com, usermerketing02@contoso.com

Local Group defined in Netskope (not imported from an external directory, federated and/or IDP, fully local in Netskope):

Group - Sales: usersales01@contoso.com - usersales02@contoso.com
Group - IT: userit01@contoso.com - userit02@contoso.com
Group - Marketing: usermerketing@contoso.com - usermerketing02@contoso.com

And based on these groups can create real time policies?

All this without Active Directory or User AD, or any other directory or server, just local groups defined in Netskope ? is this possible ? Please confirm

On the other hand, if SCIM of Netskope is used, which would be the requirements ? would need some local on premise internal server that somehow define local groups and pass them to Netskope and then be able to use them in Netskope ? Since I am not entirely clear on that point.

Thanks for your help

Best regards

Userlevel 3
Badge +12

@MetgatzNK Yes, it is possible to create users and groups and add users to groups using Netskope SCIM.  Then these groups and users can be leveraged in policies.  I am currently working on a guide to demonstrate how to do this and can post it back to the community when it's completed.

Badge +11

Hello @myee Thank you for your colaboration.

 

I'm waiting for that guide.

 

Cheers

Userlevel 3
Badge +12

@MetgatzNK Here you go.  Can you give me some feedback after you've tried it out?  Also, I'm thinking about adding some scripting so what is in the guide can be done more in an automated fashion.

Reply