Grouping and Group Membership on the PGP Encryption Server (Symantec Encryption Management Server)
search cancel

Grouping and Group Membership on the PGP Encryption Server (Symantec Encryption Management Server)

book

Article ID: 153663

calendar_today

Updated On:

Products

Symantec Products PGP Command Line PGP Encryption Suite PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption

Issue/Introduction

The PGP Encryption Server (Symantec Encryption Management Server) allows you to control how users and devices are sorted into groups.

This article will go over grouping in general terms and offer guidance on this topic. 

Resolution

Users and devices are classified as Consumers on the PGP Encryption Server.

You can sort consumers into groups by user type, domain membership, dictionary entries or through LDAP values.

Consumers must match your requirements to become members of the group.

This article details how to sort users and devices into PGP Encryption Server Groups.


Method 1 of 2: Automatic Grouping via Matching Criteria

Step 1. Log in to the PGP Encryption Server's web console.

Step 2. On the Groups page, select the group you want to edit. The Group Details page appears.

Step 3. Click Group Settings then select the Membership tab.

Step 4. Determine the method which the Consumers of the group will be matched. The options are:

  • Enable Match Consumers by Domain, Dictionary, or Type
  • Match Consumers Via Directory Synchronization

Step 5. Place a checkmark next to Enable Match Consumers by Domain, Dictionary, or Type to enable this option.
This option allows you to sort consumers into the group by matching the specified criteria. You can use this in conjunction with LDAP directory matching.

Step 6. From the drop-down menu, select the criteria you want to match. Add as many criteria as necessary.

To use the Directory Synchronization option, place a checkmark next to Enable Match Consumers Via Directory Synchronization. This allows you to sort consumers into the group by matching LDAP directory values.

Note: In order to enroll users with their Active Directory Credentials, or group users based on AD Attributes, Directory Synchronization must be enabled.
You can use this in conjunction domain, dictionary, and type matching.

 

Step 7. For All LDAP Directories, use attribute and value pairs that are common to all the LDAP directories to which the PGP Server refers. Leave this empty if you do not want to use attributes associated with global LDAP directories. Choose whether you want all or any of the attribute and value pairs to be true and apply to the consumer to make the consumer a member of the group.

Step 8. For any LDAP Directory, use attribute and value pairs that are specific to the LDAP directory you choose. Add as many directories as needed. Choose whether you want all or any of the attribute and value pairs to be true and apply to the consumer to make the consumer a member of the group.

Note: You may also choose to Enable Match disabled Active Directory users to add users disabled in Active Directory to the group.

Matching Active Directory disabled users receive the same policy and permissions as all other group members.



Method 2 of 2: Grouping users into Custom Groups Manually (Assigning users to Groups individually)

Step 1. Log in to the PGP Encryption Server's web console.

Step 2. On the Groups page, select the custom group you want to edit. The Group Details page appears.


Step 3. Click Users, "View" option.

Step 4. Now click on "Add Users..." and start typing the name of the user until they auto populate.

Step 5. Click the user that popped up and they will now show up in the "Name" field.  Then click "Save" to add them.

Step 6. The user may not show up immediately.  Wait a few minutes until they then show up.
Note: It all depends on how many users you have in total on the PGP Encryption Server, but they should show up in a reasonable amount of time.

In this way, only the users you add to groups will be mapped.  

Note: Users can be part of multiple groups, but the first group they are part of, will receive the policy associated to that group.
If you are using File Share Encryption, you will get the Group key for all the groups the user is part of.

For more information on Group Keys and File Share Encryption, see the following articles:

 

180791 - Symantec File Share Encryption Group Key FAQ's

161242 - Encrypting network file shares to Group Keys with Symantec File Share Encryption

 

Troubleshooting:
Usually grouping works fairly quickly, but if you are waiting the appropriate amount of time, and still not seeing the grouping work, reach out to Symantec Encryption Support.
EPG-24718, EPG-29401, EPG-29673


 

Powered by Wolken Software