AD Groups in and EMS policies

Question

Hello all, I am looking for some assistance regarding using AD groups in EMS policies. My scenario is as follows: I have created a security group for people allowed to use dropbox and configured the web filter and application filter appropriately. I have also created a security group to be allowed to use certain AI applications only and configured the filters appropriately. Based on what I have read is where I am hitting an issue:

“Priority-Based Evaluation: EMS typically allows administrators to assign priority levels to different policies. If a user belongs to multiple groups (e.g., both "Standard Staff" and "Remote Workers"), EMS applies the configuration set by the policy with the highest priority.”

If reading this correctly, if I am a member of both security groups, I will use the first policy I match with highest priority. So if I put the “allow dropbox” rule first that also blocks the AI Apps, I will not hit the “allow AI apps profile” that follows. Is there a way to control this a different way?

FortiGator · Accepted Answer

AEK - Thanks for the feedback and sorry it took a bit for me to get back to you. That makes total sense and is so unbelievably easy. I was definitely over thinking this one.

AEK · Answer

Hi GatorHere you must create a new AD group (e.g.: Remote Standard Staff) that includes users who are allowed both dropbox and AI apps, then you put their policy on top.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded