BMS Authorization Rules

Policy Set Structure

Policy Set: BMS-Segmentation
├── Authentication Policy
│   └── MAB for BMS devices
├── Authorization Policy
│   ├── BMS-HVAC: HVAC DACL
│   ├── BMS-Lighting: Lighting DACL
│   ├── BMS-Access-Control: Access DACL
│   └── Default: Deny

Authorization Conditions

By Endpoint Group

IdentityGroup:Endpoint Identity Groups:BMS-Devices:BMS-HVAC

By Profile

EndpointProfile EQUALS BMS-HVAC-Controller

Authorization Profiles

BMS_HVAC_Access

Name: BMS_HVAC_Access
Access Type: ACCESS_ACCEPT
VLAN: 100 (BMS VLAN)
DACL: BMS-HVAC-DACL

BMS_Supervisor_Access

Name: BMS_Supervisor_Access
Access Type: ACCESS_ACCEPT
VLAN: 100
DACL: BMS-Supervisor-DACL

Sample Rules

Rule Name: HVAC-Controllers
Conditions:
  EndpointProfile EQUALS BMS-HVAC-Controller
Then:
  BMS_HVAC_Access

Rule Name: BMS-Management-Station
Conditions:
  IdentityGroup:AD Groups:BMS-Operators
Then:
  BMS_Supervisor_Access