Add access control rules

Create access control rules to restrict access to an application based on username, group name, time, or other conditions.

In EAA Management Portal for Enterprise Application Access you can create an access control rule to block or deny access to an application based on the criteria listed in the below table.

Access control typeDescription
URLThe web address or path requested by the user.
GroupThe group that a user belongs to.
UserThe username assigned to the user
MethodAn HTTP method such as GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, CONNECT, or an Other method for any custom method that is used for the application.
Client IPThe IP address of the client that you want to restrict
CountryThe country where you want to prevent the user from accessing the application.
TimeThe days of the week and the exact times (based on time zone) that you want to restrict access.

Note: This access control type is available with HTTP/HTTPS applications only.

App HostThe hostname of the application server. Applies to tunnel-type client-access applications only.
App PortThe port number of the application server. Applies to tunnel-type client-access applications only.
App ProtocolSelect TCP or UDP protocol. Applies to tunnel-type client-access applications only.

If you have access to Device Posture, you can also set device risk assessments with risk tiers, risk tags and versions.

For every rule you create, you select the access control type, an operator, and then define the values for the selected type. You can choose whether an operator is or is not is restricted as a control type.

By default, access control rules are disabled for an application. You must enable the feature and then configure the rules and the criteria you require.

A rule can contain one criterion or multiple criteria. The criteria you provide in a rule are combined with an AND operator.

If multiple rules are created for an application, these rules are combined with the OR operator. This allows you to use the same control types in multiple expressions and ensure there is no conflict.

Access control rules are not applied to an application until you deploy or redeploy the application.

When a user is denied access as a result of an access control rule, an HTTP 403 Forbidden error message appears. See Application response codes, login events, and errors.

The criteria you create in a rule are combined with an AND operator. This means that all conditions are applied to deny access. If you configure multiple rules, the rules are applied with an OR operator to ensure that if any of the conditions in a rule apply, access to an application is denied.

Access control rules are not live until an application is deployed. If you apply access control rules after an application was deployed, you must redeploy the application.

📘

The time-based access control type is available with HTTP/HTTPS applications only.

  1. Log in to EAA Management Portal.

  2. In the EAA Management Portal navigation menu, select Applications.

  3. On the application card, click Settings, and select SERVICES.

  4. In Access Control, click Configure rules.

    1. To create a new rule, click Add Rule.

    2. To edit an existing rule, click Edit Rule.
      A modal window appears.

  5. Enter a name for the rule and click Create Rule and Configure.

  6. In Type select one of the following:

    • Group
    • User
    • Client IP
    • Country
    • App Host
    • App Port
    • App Protocol
    • Time
    • URL

    📘

    Time and URL are available only for web applications (HTTP and HTTPS).

  7. In Operator select either isor is not.

  8. In Value enter the value if applicable or select the value for the access control type.

    1. Click Time to configure the time-based settings.

    2. In Start Time and End Time enter a time in hh:mm, AM-PM format.

    3. In time zone select a timezone.

    4. Select the days of the week that you want to deny access.

    5. Click Save.

    6. To add another criterion to the rule, click Add Another Criterion, and repeat the above steps.

    7. Click Save Rule.
      The rule appears on the Traffic Rules page for the application.

  9. Click Back to Configuration Services and save the changes.

  10. Click Save and Deploy.

  11. Deploy the application.

Disable or delete access control rules

Disable an access control rule without deleting it from the application. When you no longer wish to use an access control rule, delete the rule from the application's configuration.

  1. Log in to EAA Management Portal.

  2. In the EAA Management Portal navigation menu, select Applications.

  3. On the application card, click Settings, and select SERVICES.

  4. In Access Control, click Configure rules.
    The Traffic Rules page appears.

  5. On the access control rule card you can do the following:

    1. To disable a rule, deselect the checkbox upper left corner of the access control rule card.

    2. To delete a rule, click Delete ().

  6. Click Back to Configuration Services and save the changes.

  7. Deploy the application.