Zero Trust: Assign Access to Employees
Modified on: Tue, 25 Oct 2022 4:56 PMThis guide will show you how to assign ZTN (Zero Trust Network/Cloud Gen Access) Permissions to specific employees for the resources that they require.
It is important that only employees that require access to resources are given access to Cloud Gen Access and only to the specific resources required to perform their job. Providing to little access can be of detriment to an employee, providing too much access is a detriment to security. Regular access audits will be performed to verify ZTN access.
ZTN or Zero Trust Network, is a method of securing access to company resources. Access is controlled by Azure AD group memberships that are assigned to specific resources. A table of resources and groups is provided for easy administration and identification.
Resource List
| Resource | Group | Description | Public FQDN |
| HPG | NetSuite | ZTN | HPG NetSuite | Provides protected access to NetSuite. All NetSuite users should be included in this policy. | netsuite.com |
| HPG | Paylocity | ZTN | HPG Paylocity | Provides protected access to Paylocity. All remote Paylocity users should be included in this policy. | paylocity.com |
| HSO | DCCore | ZTN | HSO DFS | Required for providing users access to the HandStands I:\ Drive | dchspcore.handstands.local |
| HSO | DCHSPa | ZTN | HSO DFS | Required for providing users access to the HandStands I:\ Drive | dchspa.handstands.local |
| HSO | DFS Root | ZTN | HSO DFS | Required for providing users access to the HandStands I:\ Drive | handstands.local |
| HSO | RDSH | ZTN | HSO RSH | Provides Remote Desktop Access to HandStands Remote Desktop Session Host | rsh.hso.one |
| HSO | SFSHSPa SMB | ZTN | HSO DFS | Required for providing users access to the HandStands I:\ Drive | sfshspa.handstands.local |
| HSO | SYN DSM | *Admin Group Only* | Provides access to the Synology DSM. This is primarily an Admin Only tool, though it occasionally is utilized as a backup to remote desktop session hosts when necessary | hsosyn.hpg.one |
| HSO | SYN SMB | ZTN | HSO DFS | Required for providing users access to the HandStands I:\ Drive | syn-hsp-01.handstands.local |
| HSO | SonicWall | *Admin Group Only* | Provides access to the HandStands SonicWall admin interface | hso-sonicwall.hpg.one |
| HSO | vCenter HTTPS | *Admin Group Only* | Provides access to the HandStands vCenter environment | sapvcenter.handstands.local |
note: Links may need to be created that point to the FQDN for specify services. Example, for the HSO | RDSH, which is for the HandStands Remote Desktop Sessions Hosts, you will have to create a remote desktop file that uses rsh.hso.one as the target machine.
Group List
| Group | Description |
| ZTN | HPG NetSuite | Provides protected access to NetSuite. All NetSuite users should be included in this policy. |
| ZTN | HPG Paylocity | Provides protected access to Paylocity. All remote Paylocity users should be included in this policy. |
| ZTN | HSO DFS | Required for providing users access to the HandStands I:\ Drive |
| ZTN | HSO RSH | Provides Remote Desktop Access to HandStands Remote Desktop Session Host |
| ZTN | Admins | Provides access to IT admin resources |
To add an employee to a group follow the below guide:
- Logon to aad.portal.azure.com
- Go to Groups
- Search for "ZTN"
- Edit the group you are adding to by clicking on the group name
- Click Members
- Click Add Members
- Search for and select the target Employee
- Click the Select button
- Refresh the screen after 15-60 seconds to verify the employee was added to the group
Within 15-60 minutes the target employee should be able to access the resources through Cloud Gen Access.