Best practice suggestions for Defender policies.
Defender policies can be applied in various places: to the DSS object; to the Access Node; to a user or group. Where you apply the policies can have an impact on the behaviour a user sees when authenticating with a token.
An ideal practice is to apply your policy to an Access Node so that the users and groups on the "Members" tab of the Access Node inherit that policy. Users will inherit policies from anywhere it is assigned that applies to them. For example, if a policy is assigned to an Access Node and the user is a member, the user will inherit that policy. If a policy is applied to a group of which the user is a member, then the user will inherit the policy settings.
Determining which policies are applied to a user or group can be done from the "Policy" tab for the object:
- Open the properties for the object and select the "Policy" tab
- A "Policy Summary" is available from this tab. Clicking the "Effective" button will bring up a dialog showing the effective policy and where it's coming from
Be sure to test authentication with token-assigned users to determine that the applied policy or policies is having the desired effect.