Defining group membership criteria

After you add a new group, you need to define its membership criteria. Membership criteria are used to determine which discovered machines or users match specific attributes you specify for a group.

To define a group's membership criteria

  1. From the TLS Protect menu bar, click Clients > Client Group Settings, and then click a group name.

  2. Click the Membership Criteria tab, and then use the following table as a reference for choosing membership criteria for your group.

    Attributes Associated
    Group Type     		Description

    Client Type

     

    Depending on the group type of the group for which you're configuring membership criteria, this setting lets you select either an agentless or agent-based solution.

    TIP  You can only modify the client type when using the User and Device Certificate Issuance (Client Protect) group type. You cannot change the client type on any other group type.

    (Agent-based)

     

    Agent-based Certificate and Key Management

    Used with the Server Certificate and SSH products and utilizes the Venafi Server Agent.

    Use to limit group membership to Server Agent-enabled devices (where agents have already registered with Trust Protection Platform).

    (Agentless)

    Agentless SSH Key Management

    Used with the SSH product and uses remote SSH connections. No agent installations are required (agentless).

    DNS Name

     

    The fully qualified domain name (FQDN) of an agent. For example, server1.venafi.com.

    Environment[var]

     

    Includes the list of all environment variables defined under Record Environment Variables.

    For information about using environment variables with the Server Agent, see Configuring Environment Variables.

    When an agent checks in, Trust Protection Platform passes a list of requested environment variables configured under Record Environment Variables to the agent. The agent determines if any of those environment variables are defined on the system where it is installed. If so, the agent then returns the value for each environment variable.

    For example, if “Record Environment Variables” includes DEPT, Environment[DEPT] would appear in the Client Attribute list. In order to include all agents installed on systems with DEPT set to ENG, you would set Environment[DEPT] equal to ENG in the group membership criteria.

    Host Domain

     

    Refers to the domain portion of the DNS Name. For example, venafi.com is the host domain for a server with the DNS Name of server1.venafi.com. This attribute can be used to group all servers within a particular DNS domain.

    Hostname

     

    This is the hostname of the client. For example, server1 is the hostname of a client with a DNSName of server1.venafi.com.

    Member Of

     

    For user certificate work, use this attribute to select the Identity Groups containing users to whom you plan to assign work configured within the current Client Group Settings.

    IP

     

    This is the IP address of the client. In order to set a group rule that includes all clients on a Class C subnet, it is possible to use the Like operator with IP addresses specified in Classless Inter-Domain Routing (CIDR) notation. For example, IP Like 192.168.12.0/23 will include all of the clients on 192.168.12.x and 192.168.13.x in the group. Note that it is possible to specify either IPv4 or IPv6 addresses.

    MAC

     

    The media access control (MAC) address of an agent. For example, 00-50-56-B2-24-0C.

    OS Build

     

    The build number of the operating system where an agent has been installed.

    Not all operating systems provide build numbers.

    OS Name

     

    This is the high-level name of the operating system. The Condition Value field lists available operating systems.

    All listed operating system versions might not be supported for all ClientTypes. Refer to the agent documentation for a list of the supported operating systems.

    OS Service Pack

     

    Indicates the latest operating system service pack that is currently installed.

    OS Version

     

    Indicates the latest version of the operating system installed on the client computer. For example, you might specify 2.6.32.431 for a Linux system. It may be necessary to experiment in the lab with the specific versions of operating systems you have installed in your production environments to ensure that you specify the correct version. Once an agent has checked in in the lab, you can view the details of that agent to see the value of the operating system version that was returned by the agent.

    Serial Number

     

    The serial number of the client computer. Typically, serial numbers are available on systems that use proprietary hardware only.

    System Architecture

     

    Indicates the processor architecture (e.g., x64 or x86 for Intel-based systems).

    System Chassis

     

    The chassis type of the client. Typically, system chassis information is available only on systems that use proprietary hardware.

    System Manufacturer

     

    The hardware manufacturer of the underlying platform.

    For clients running as virtual machines, SystemManufacturer indicates the hypervisor manufacturer.

    System Model

     

    Indicates the model of the hardware or virtual machine.

    Trust Level

     

    Refers to the level of trust that the client received during initial registration.

    The following trust levels are available:

    0 = Untrusted

    50 = Specific Credential (This trust level is applied to agents that initially registered with a Credential)

    Username

     

    The name of the user account being used to run the agent, such as user1, administrator, root, etc.

    Virtual Machine ID

    		  

    The ID that is part of instance metadata for AWS EC2, Azure, and Google Cloud Platform.

    For VMware, it is a value that is assigned to the machine in SMBIOS.

    NOTE  There are some cases where the VMware virtual ID may not be universally unique based on setup.

  3. Select an operator, and then type the related item to filter for.

    These operators are based on common SQL operators and can be used in the same way. Some of the more frequently used operators include the following:

    • Equals: This is a comparison operator. The selected attribute is equal to the value you place in the Value box.
    • Not Equal: This is a comparison operator. The selected attribute is NOT equal to the value you place in the Value box.
    • In: Use to specify related identity groups containing users or machines to which you plan to assign work.

    • Like: Use to perform case-insensitive substring search. The value has to be contained in the attribute in order to match.

      A machine with a hostname myserver will be matched by:

      • hostname LIKE my
      • hostname LIKE server
      • hostname LIKE serv
      • hostname LIKE ver

  4. Do one or both of the following:

    • Click AND to add an additional rule.
    • Click OR to add an exclusive statement.
  5. When you are finished, click Save.

IMPORTANT  You must click Save before leaving this tab or you will lose your changes.

Related Topics Link IconRelated Topics