Control Access

Allow or deny requests that match the rule’s criteria.

How it works

The behavior comes with a default Reason ID. You can modify the Reason ID, for example, to deny-location, to deny the request because of the user location. Then, in a later match for user location, you can use another Control Access behavior with the same Reason ID and allow access for certain user locations. If there are other reasons to deny a request (for example, because of a missing request header), you can set a different Reason ID. At the end of request processing, if Control Access is still set to deny for any Reason IDs, then the request is denied.


You can modify the Reason ID for a denial, and in doing so create a Reason ID that must be matched if the content is to be allowed in another rule or child rule.

Features and options

FieldWhat it does
Reason IDEnter a short string to use as an ID, such as deny-location.
StatusAllow or Deny access.