Policy Group Management

8 min

introduction policy groups are at the core of the nile trust service they define how users, devices, and applications are logically segmented for access control by classifying endpoints based on identity, device type, or context, administrators can apply policies that align with the enterprise’s security posture without relying on traditional vlans or static segmentation understanding policy groups a policy group represents a collection of endpoints that share common access requirements each endpoint belongs to exactly one policy group, ensuring that its access policies are clear and deterministic the trust engine automatically evaluates each user or device during onboarding and assigns it to the most appropriate group based on predefined classification rules group types user groups – endpoints tied to an authenticated user commonly used for employees, guests, and contractors device groups – endpoints such as printers, cameras, or iot devices not associated with user identities application groups – destination endpoints that represent private or public applications default system groups nile automatically creates several predefined groups to simplify configuration local all endpoints inside the nile service block external all endpoints outside the service block intranet the enterprise’s private address space defined by rfc 1918 internet public destinations outside the intranet unclassified endpoints that do not match any defined group quarantine devices that fail validation or posture checks these groups are recognized across the trust service and can be used as sources or destinations in policy definitions classification logic when an endpoint joins the network, it undergoes classification based on the rules defined for policy groups the trust engine evaluates the endpoint against user based criteria first, followed by device based criteria if a match is found, the endpoint is assigned to that group if multiple matches exist, the system prioritizes the most specific group based on rule ordering if an endpoint does not match any criteria, it becomes part of the unclassified group devices that fail posture or validation checks are assigned to the quarantine group managing policy groups in nile control center administrators can create and manage policy groups in the nile control center interface each group includes the following configurable parameters name and description human readable identifiers for easy management group type user, device, or application matching criteria identity attributes (such as scim or radius), network segment, mac address, or device fingerprint validation settings for enterprise tier customers, continuous validation checks can be enabled using snmpv3, https, or ssh to confirm device authenticity creating a policy group navigate to trust service > policy groups in nile control center select create group choose the group type (user, device, or application) define the match criteria and optional validation settings save the configuration once saved, the new group is applied automatically across all nile service blocks in the tenant modifying policy groups existing groups can be edited to adjust criteria or metadata when classification criteria are changed, the trust engine recalibrates endpoints in real time, ensuring they remain properly categorized reassignment and recalibration administrators can manually assign or unassign endpoints to specific groups when unassigned, an endpoint returns to the unclassified group until it is reassigned or reclassified recalibration also occurs automatically when group criteria are updated a new group is created or deleted group ordering changes unclassified and quarantine groups endpoints in the unclassified or quarantine groups require attention from administrators unclassified devices or users that do not meet any defined criteria by default, they have limited access to infrastructure services like dhcp and dns additional access requires explicit policy definition quarantine devices that fail security validation these endpoints are isolated with minimal network access until they pass posture checks or are remediated administrators can define policies to allow access to remediation servers or administrative tools after remediation or revalidation, devices automatically return to their intended policy group best practices keep classification criteria simple and identity driven place the most specific rules higher in the order for accurate classification use descriptive names for policy groups to ensure clarity during troubleshooting regularly monitor the unclassified and quarantine lists to maintain compliance and minimize exposure summary policy group management provides a clear, identity based framework for defining security boundaries across users, devices, and applications through automated classification, continuous validation, and policy driven isolation, the nile trust service delivers precise control and visibility into every endpoint in the network next policies and service profiles — learn how to create access policies and service profiles to define and enforce communication rules across the network