Defining application policy

Use Access Gateway to configure one or more access policies per application. Policies are applied to URL resources within an application and you can set them to allow or deny:

  • Access to an application by any authenticated user (default).
  • No authentication access (to anyone) for an application.
  • Specific users to access an application.
  • Specific groups to access an application.
  • Access to an application based on any IdP user profile attribute.
  • Granular access based on application URLs or deep links.
  • Custom access based on advanced configuration.

During this task you will creating, configuring, and managing Access Gateway application policies.

When configuring application access policy its important to understand that all application access policy is derived from, or inherits from, the original group specified in the applications Essentials section. Before any access policy is applied to any application URI, a check is made against the applications group setting, which may grant or deny access to the application as a whole.

Configuring application access policy

To configure an application policy:

  1. Navigate to the Access Gateway Admin UI console.

  2. Click the Applications tab.

  3. Select an application that requires new policy and click Edit.

  4. Select the Policies sub-tab.
  5. Choose one of:
    Add a new policy
    Delete an existing policy
    Modify an existing policyModify attribute(pencil) icon.

The default root (/) policy cannot be deleted or modified.

Add a new policy

  1. Click Add () in the policy list header and choose one of:
    • Protected
    • Not Protected
    • Protected Rule
    • Adaptive
    • Custom - To add a custom policy you must select another policy type and then change its type to Custom.

    See Policy types for type details.

  2. In the Resource Path, enter the URI to the resource being protected.

    Custom policy allows administrators to add a regular expression as Resource Path.
    URI's matching this regular expression will have this policy applied.

    Policy URI must also be unique across Login, Logout, and Error behaviors. Access Gateway does not support using the same URL for multiple behaviors or policies.

  3. If required, clear the Case Sensitive checkbox to mark the URI case insensitive. See Application policy Resource Path precedencefor more information on Resource Path, policy precedence, general matching, and case sensitive or insensitive matching.

    Introduced in Access Gateway version 2021.2.1

    Only Custom policy allows the use of regular expressions in Resource Path.

  4. For Protected, Protected Rule, and Adaptive Rule: In Resource Matching Rule enter a regex expression representing the users who should be granted access to the resource. See Example Access Gateway policy for examples of expressions.
  5. Click Okay to add the policy or Cancel to cancel.

Note that policies are applied and executed according to URI precedence. See Application policy Resource Path precedence for more information.

Delete an existing policy

  1. Click Delete () next to the policy to be deleted.
  2. In the confirm dialog box, click Yes to delete the attribute or No to cancel the delete operation.

Modify an existing policy

  1. Click Edit (Modify attribute(pencil) icon.) next to the policy rule to be modified.
    The Edit existing Policy dialog box is displayed.
  2. Modify the policy as required.
  3. Click Okay to save the modified Attribute or Cancel to cancel the modification.