User Guide
HENNGE Access Control Test Case
Step 1 – Please login to the Access Control Admin Console with an administrator’s account, at https://ap.ssso.hdems.com/admin/your.domain
Step 2 – Click on the “New Access Policy Group” to create a new access policy,
Step 3 – Enter the related information of a new access policy
Please enter your access policy condition according to the rule template instruction manual.
Please name the new access policy group as “Test Policy Group”.
Please enter your company public IP in the format as “ip4:xxx.xxx.xxx.xxx” in the field “Condition to allow access”. The “111.111.111.111” is only an example IP address, please do not enter. In order to restrict access to users that have Pass Cookies, please add the “has_pass:true” as a required condition for users locating outside the company network.
Please enter “login_name:test” in the fields “Condition to change OTP secret”, “Condition to change OTP notification email” and “Condition to access to secure browser control panel” for the granting the user “test” the permission to configure OTP, OTP Notification Email Settings and Secure Browser Control Panel. “false” is to ensure that only the user “test” has the permission to make the changes.
Step 4 – Delegating an existing user to the “Test Policy Group”.
Click on the “Edit” icon to configure an existing user account:
Select the “Test Policy Group” that was previously created under the field “Access Policy Group” and click on “Save” to finish the setup.
Step 5 – Setup the Pass-Cookie Issue condition
Click on the “Domain Setting”, “Other Settings” and then click on the “Edit” button.
Select the “Enable” and enter the “ip4:111.111.111.111” in the field. Click on “Save”.
After you have created the new "Access Policy Group" and configured the user “test”, you are ready to test the login.
Access Control Testing (Access Policy Group)
A1. Can I login from an external IP network without a Pass-Cookie?
“No”, according to the “Test Policy Group”, users not in the company network and does not possess a Pass-Cookie are not allowed to login.
Step 1 – Connect from an external IP network.
In this example, the corporate network is “111.111.111.111”, so please login from any network except the “111.111.111.111” IP address.
Step 2 – Login to any cloud service such as the Access Control User Console at the URL
https://ap.ssso.hdems.com/portal/your.domain/login
You will be denied access because “Test Policy Group” does not allow users to access from an external network without a Pass-Cookie.
A2. Can I login to the cloud service from an external network with a Pass-cookie?
“Yes”, according to the access policy group, users are allowed to login from an external IP with a Pass-Cookie.
Step 1 – Connect to the internet from the corporate network.
In this example, the corporate network is “111.111.111.111”, thus please connect to the internet within the corporate network with the IP address “111.111.111.111”.
Step 2 – Obtain a Pass-Cookie by logging to a Cloud service.
For example, you can login to the Access Control User Console at https://ap.ssso.hdems.com/sso/your.domain/login
When users are successfully logged in, the system will issue a Pass-Cookie saved in the browser for the user to login to the cloud services from an external network. You can extend the life-span of the Pass-Cookie; however, the Pass-cookie has an expected life-span of 7 days in this example.
Step 3 – Connect to the internet outside the corporate network.
In this example, the corporate network is “111.111.111.111”, thus please connect to the internet outside of the “111.111.111.111” IP address.
Step 4 – Login to any cloud service to test the access.
You will be able to successfully login despite being outside the corporate network, because you possess a valid Pass-Cookie.
A3. Will I be asked to enter an OTP PIN when login from an external network with a Pass-cookie?
“Yes”, according to the “Test Policy Group”, users possessing a Pass-cookie will be able to login from an external network without entering OTP PIN.
Step 1 – Connect to the internet outside the corporate network.
Step 2 – Login to any cloud service
You will be granted access if you fulfill one of the conditions below:
1)Connecting from an internal network or
2)Possessing a Pass-Cookie
Because the test user has previously been granted a Pass-cookie in the company network, the test user will not be asked to enter an OTP PIN in order to access.
If the “Test Policy Group” has the following configuration:
If “has_pass:true” was replaced with “false”, the only OTP-free condition will be connecting from the corporate network.
A4. Can I Access the OTP Settings interface?
“Yes”, according to the “Test Policy Group”, the user “test” has the special permission to access the OTP settings interface (login_name:test).
Login to your Access Control User Console https://ap.ssso.hdems.com/sso/your.domain/login
Because the “Test Policy Group” has the following settings, the user “test” will have the access permission to make changes on the OTP settings interface.
You will be able to find “OTP (One-Time Password) settings” in the user console.
Click on the “OTP (One-Time Password) settings” in order to enter the OTP settings interface.
A5. Can I change the OTP notification Email Address?
“Yes”, according to the “Test Policy Group”, the user “test” has the special permission to edit the OTP notification E-mail (login_name:test).
Login to your Access Control User Console
Because the “Test Policy Group” has the following settings, the user “test” will have the permission to make changes on the OTP notification Email Address.
You will be able to find “OTP (One-Time Password) settings” in the user console after login.
Click on the “OTP (One-Time Password) settings” to enter the OTP settings interface.
Please note that if the “Test Policy Group” is configured as below:
such configurations will mean that no users will be able to access the “OTP (One-Time Password) settings” in the user console.
As a result, the user console will look like the one below:
A6. Can I Access the Secure Browser settings interface?
“Yes”, according to the “Test Policy Group”, the user “test” will have the access permission to make changes on the HENNGE Secure Browser settings interface.
Login to the Access Control User Console
Because the “Test Policy Group” has the following settings, the user “test” will have the permission to make changes on the HENNGE Secure Browser settings interface.
After login, you will find the “HENNGE Secure Browser settings” in the User Console.
Click on the “HENNGE Secure Browser settings” to enter the HENNGE Secure Browser settings interface.
A7. What activities can I find in the Access Log?
You will be able to find detail information such as Login date, time, username, IP Address, Type and Login Status regarding each Login Access.
- Login Authorized: The user has successfully logged in by entering the correct username and password.
- Incorrect Password: The user has entered the incorrect password and is unable to login.
- Locked Out: The user has attempted to login but failed and exceeded the “Allowed failed logins” configured by the administrator.
- Denied by Access Policy: The user has entered the correct username and password but is unable to access because he/she has not met the conditions needed by the Access Policy Group.
A8. How do I register multiple users at once?
If you wish to register multiple users at quickly, please refer to this article: HENNGE Access Control Admin Console Guide : User Settings (Access Policy Groups)