Endpoints groups

An Endpoint group is a collection of Xshield-managed endpoint assets (user assets) that share common access requirements. User assets can be grouped by multiple criteria such as user identities, asset attributes, and network segments. Grouping user assets lets you use the Visualizer and Policy Builder features of Xshield for the associated Endpoint groups.

Endpoint groups - grouping criteria

Endpoint groups can be created based on one or more criteria. Multiple conditions are equivalent to a logical AND, and the group contains assets that meet the criteria.

Criterion Description Supported operators

Users (mandatory)

Groups or departments to which the users belong. You can use the groups and departments fetched from the Identity Provider (IdP) integrated with the instance or create custom User groups in Xshield.

are, are not

Scope

Scope tags of the Asset Managers who will manage the assets in the group.   

Asset attributes

Asset attributes available for grouping assets in Xshield. Attributes include inventory details collected by the agents on the assets (such as System OS and System Model) and the Xshield tags assigned to the asset. 

are, are not

Subnets

Subnets where the user assets are located

Endpoint group page

All Endpoint groups in an instance are listed on the Groups > Endpoint page. You can see the following details of the Endpoint groups - name and description, number of local and remote assets, and the Xshield policies associated with the group. 

  • Click an Endpoint group to see its details in the fly panel.

  • Click Add Policy in the Assigned Policies column to create and enforce Xshield policies on the Endpoint group.

  • Click the number in the Assigned Policies column to see the policies that are currently assigned to the Endpoint group.

Create Endpoint groups

Decide upon the criteria by which you want to group the user assets managed from the instance. 

For example, group assets with User groups=Sales and System OS=Windows to grant these assets access to Sales app workloads managed from Xshield.

  1. Go to Groups > Endpoint.

  2. Click Create Endpoint Group.

  3. In the Name text box, enter a name for the Endpoint group.

  4. Add a useful description.

  5. In the Users area, click Add, select User Groups or User Departments, and add the names of the groups or departments.

  6. In the Scope area, click Add and add the Asset Manager scopes for user assets in the group.

  7. In the Auto Quarantine area, select one or more Xaccess Quarantine templates.

  8. In the Attributes area, click Add and add one or more attributes.

  9. In the Subnets area, click Add and add one or more subnets in the Classless Inter-Domain Routing (CIDR) format.

  10. Click Save.

Edit Endpoint groups

Edit the details of an Endpoint Group when you want to add user assets that match other criteria to the group. 

  • Click an Endpoint group click Edit in the fly panel.

Endpoint groups can also be edited to restrict access to some user assets. For example, adding a Location tag restricts access to only the assets from the location

Delete Endpoint groups

Delete an Endpoint group from the instance when you no longer need to group the user assets. As a prerequisite, you must delete the Access policies assigned to the Endpoint group from the Policies > Access Policies page or the Visualizer > Policy Builder page

Deleting an Endpoint group also makes the Visual Explorer, Flow Explorer, and Policy Builder features unavailable for the Endpoint group.

  • Click an Endpoint group click Delete in the fly panel.

Next steps

  • Use Policy Builder to build Xshield policies to access the apps and services in the Workload groups and network resources in the Domain groups and Network groups.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.