Add access control rules

Create access control rules to restrict access to an application based on username, group name, time, or other conditions.

In Enterprise Center for Enterprise Application Access you can create an access control rule to block or deny access to an application based on the criteria listed in the below table.

Access control typeDescription
URLThe web address or path requested by the user.
GroupThe group that a user belongs to.
UserThe username assigned to the user
MethodAn HTTP method such as GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, CONNECT, or an Other method for any custom method that is used for the application.
Client IPThe IP address of the client that you want to restrict
CountryThe country where you want to prevent the user from accessing the application.
TimeThe days of the week and the exact times (based on time zone) that you want to restrict access.

Note: This access control type is available with HTTP/HTTPS applications only.

App HostThe hostname of the application server. Applies to tunnel-type client-access applications only.
App PortThe port number of the application server. Applies to tunnel-type client-access applications only.
App ProtocolSelect TCP or UDP protocol. Applies to tunnel-type client-access applications only.

If you have access to Device Posture, you can also set device risk assessments with risk tiers, risk tags and versions.

For every rule you create, you select the access control type, an operator, and then define the values for the selected type. You can choose whether an operator is or is not is restricted as a control type.

By default, access control rules are disabled for an application. You must enable the feature and then configure the rules and the criteria you require.

A rule can contain one criterion or multiple criteria. The criteria you provide in a rule are combined with an AND operator.

If multiple rules are created for an application, these rules are combined with the OR operator. This allows you to use the same control types in multiple expressions and ensure there is no conflict.

Access control rules are not applied to an application until you deploy or redeploy the application.

When a user is denied access as a result of an access control rule, an HTTP 403 Forbidden error message appears. See Application response codes, login events, and errors.

The criteria you create in a rule are combined with an AND operator. This means that all conditions are applied to deny access. If you configure multiple rules, the rules are applied with an OR operator to ensure that if any of the conditions in a rule apply, access to an application is denied.

Access control rules are not live until an application is deployed. If you apply access control rules after an application was deployed, you must redeploy the application.

πŸ“˜

The time-based access control type is available with HTTP/HTTPS applications only.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

  3. Select your application to open it.

  4. In Access enable Access.

    1. To create a new rule, click Add Rule (+).

    2. To edit an existing rule, click Edit Rule.
      A modal window appears.

  5. Enter a name for the rule and click Add.

  6. In Type select one of the following:

    • Group
    • User
    • Client IP
    • Country
    • App Host
    • App Port
    • App Protocol
    • Time
    • URL

    πŸ“˜

    Time and URL are available only for web applications (HTTP and HTTPS).

  7. In Operator select either isor is not.

  8. In Value enter the value if applicable or select the value for the access control type.

    1. Click Time to configure the time-based settings.

    2. In Start Time and End Time enter a time in hh:mm, AM-PM format.

    3. In time zone select a timezone.

    4. Select the days of the week that you want to deny access.

    5. Click Save Rule (βœ“).
      The rule appears as Access Control in the Services column.

    6. To add another criterion to the rule click Add Criteria (+), and repeat the above steps.

    7. To delete the rule, click Delete Rule.

  9. Click Save and Deploy.


Did this page help you?