Example Access Gateway Policy

Example Application Policy

The following sections:

  • Provides details for configuring the different policy access rules.
  • Access rules shown below are configurable through the Policy Application Editor.

The following examples reference the input fields as shown below:

Protected Policy

Field Value
Enabled Policy Enable or disable policy

Policy Type

Protected or Not Protected

Name

A unique name for the policy

Resource Path

The resource path to the resource you will to be managed by this policy

Description

An adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. friendly description to help describe the policy, for future reference

Protected Rule Policy

Field Value

Resource Rule

Protected Rule

Name

A unique name for the policy

Resource Path

The resource path to the resource you will to be managed by this policy

Resource Matching Rule

This field will allow you to define the regular expression for the policy

Description

An admin friendly description to help describe the policy, for future reference

Allow any authenticated user access

The default rule of all protected applications is set to allow any authenticated user. When enabled, the following policy allows any authenticated user to the URL /.

Field Value

Resource Rule

Protected

Resource Path

/

Allow any authenticated user in the IDP Everyone Group access

If many policies are being configured for an application and a deep link needs to use the default authentication behavior, configure the policy to allow the Everyone group.

Field Value

Resource Rule

Protected Rule

Resource Path

/custom

Resource Matching Rule

Groups=(?=.*Everyone:)

Allow no authentication access

If there is a URL that needs to be accessed by anyone regardless of authentication, set the Resource Rule to Not Protected.

Field Value

Resource Rule

Not Protected

Resource Path

/public

Allow specific user(s) access

If there is a URL that needs to be accessed by a specific user, set the Matching Rule Regex to the username to allow for the policy. The following example is set to allow the user admin@domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)..com access to the URL /uri2.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri2

Resource Matching Rule

UserName=admin@domain.com

If you need to allow multiple users, use the pipe (|) character to separate the username. The following example expands on the previous one to allow both admin@domain.com and test@domain.com.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri2

Resource Matching Rule

UserName=admin@domain.com | test@domain.com

Allow specific groups(s) access

If there is a URI that needs to be accessed by a specific group, set the Matching Rule Regex to the group name to allow for the policy. The following example sets the Matching Rule option to allow the Group: Admins to access to the URI /uri3.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?=.*Admins:)

If you need to allow the option of multiple groups use the pipe (|) character to separate them. This is an OR condition. The following example will allow Group: Admins OR Group: Test Users.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?=.Admins:)|(?=.Test Users:)

If you require multiple groups, this is an AND condition. The following example will allow Group: Admin AND Group: Test Users.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?=.Admins:)(?=.Test Users:)

Allow specific group(s) and user(s) access (multiple matches)

If there is a URI that needs to be accessed by a specific group and user, set the Matching Rule Regex to the group name to allow for the policy. The following example sets the Matching Rule option to allow the Group: Admin AND User: test@domain.com.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?=.Admins:)(?=.test@domain.com)

Deny specific group(s) or user(s) access

If there is a URI that needs to be accessed by everyone except a certain group, set the Matching Rule Regex to the group name and allow for the policy. The following example sets the Matching Rule option to allow users in any group except the those in Group: Group3.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?!Group3:)

The following example expands on our previous example, setting the Matching Rule option to multiple constraints. If Group: Group3 contains anyone with the UserName= , they will not be allowed to access the URI.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

(?=.Groups=.Group3:)(?=.*UserName=(?!test@domain.com))

Allow or Deny specific RemoteIP access

If there is a URI that you would like to only be accessed by a specific RemoteIP, set the Matching Rule Regex to the RemoteIP to allow for the policy. The following example sets the Matching Rule option to allow the RemoteIP address 192.168.10.189 access.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri4

Resource Matching Rule

RemoteIP=(?=192\.168\.10\.189)

The following example expands on our previous example, setting the Matching Rule option to allow a range of RemoteIPs. The following example sets the Matching Rule option to allow RemoteIPs within the range of 192.168.10.200 to 192.168.10.250.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri4

Resource Matching Rule

RemoteIP=(?=192.168.10.2([0-4][0-9]|50)

If there is a URI that you would like to deny access to by a specific RemoteIP set the Matching Rule Regex to the RemoteIP to deny for the policy. The following example sets the Matching Rule option to deny the RemoteIP Address 192.168.10.209 access.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri4

Resource Matching Rule

RemoteIP=(?!192.168.10.209)

The following example expands on our previous example, setting the Matching Rule option to deny a range of RemoteIPs. The following example sets the Matching Rule option to deny RemoteIPs within the range of 192.168.10.100 to 192.168.10.200.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri4

Resource Matching Rule

RemoteIP=(?!192.168.10.(1([0-9][0-9])|200)

Allow or Deny specific USER_AGENT access

If there is a URI that you would like to only be accessed by a specific USER_AGENT (browser) set the Matching Rule Regex to the USER_AGENT to allow for the policy. The following example sets the Matching Rule option to allow the USER_AGENT to only access the URI via Google Chrome.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri5

Resource Matching Rule

USER_AGENT=(?=.*Chrome)

The following example expands on our previous example, instead setting the Matching Rule option to deny USER_AGENT access to Google Chrome forcing access via another agent (browser).

Field Value

Resource Rule

Protected Rule

Resource Path

/uri5

Resource Matching Rule

USER_AGENT=(?!.*Chrome)

Top