Example Access Gateway policy

Example application policy

The following sections provide details for configuring the different policy access rules. The given access rules are configurable through the Policy Application Editor.

The following examples reference the input fields as shown below:

Protected policy

Field Value
Enabled Policy Enable or disable policy.

Policy Type

Protected or Not Protected.

Name

A unique name for the policy.

Resource Path

The resource path to the resource you want this policy to manage.

Description

An admin friendly description to help describe the policy for future reference.

Protected rule policy

Field Value

Resource Rule

Protected Rule.

Name

A unique name for the policy.

Resource Path

The resource path to the resource you want this policy to manage.

Resource Matching Rule

This field allows you to define the regular expression for the policy. See Protected rule resource matching rule expressions for more information.

Description

An admin friendly description to help describe the policy for future reference.

Allow any authenticated user access

The default rule of all protected applications is set to allow any authenticated user. When enabled, the following policy allows any authenticated user to the URL /.

Field Value

Resource Rule

Protected

Resource Path

/

Allow any authenticated user in the IDP Everyone group access

If many policies are being configured for an application and a deep link needs to use the default authentication behavior, configure the policy to allow the Everyone group.

Field Value

Resource Rule

Protected Rule

Resource Path

/custom

Resource Matching Rule

Groups=(?=.*Everyone:)

Allow no authentication access

If there is a URL that needs to be accessed by anyone regardless of authentication, set the Resource Rule as Not Protected.

Field Value

Resource Rule

Not Protected

Resource Path

/public

Allow specific users access

If there is a URL that needs to be accessed by a specific user, set the Matching Rule Regex to the username to allow for the policy. The following example is set to allow the user admin@domain.com access to the URL /uri2.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri2

Resource Matching Rule

UserName=admin@domain.com

If you need to allow multiple users, use the vertical bar key (|) to separate the username. The following example expands on the previous one to allow both admin@domain.com and test@domain.com.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri2

Resource Matching Rule

UserName=admin@domain.com | test@domain.com

Allow specific groups access

If there is a URI that needs to be accessed by a specific group, set the Matching Rule Regex to the group name to allow for the policy. The following example sets the Matching Rule option to allow the Group: Admins to access to the URI /uri3.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?=.*Admins:)

If you need to allow the option of multiple groups use the vertical bar key (|) to separate them. This is an OR condition. The following example allows Group: Admins OR Group: Test Users.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?=.Admins:)|(?=.Test Users:)

If you require multiple groups and a specific user. This is an AND condition. The following example will allow Group: Admin AND Group: Test Users.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?=.Admins:)(?=.Test Users:)

Allow specific groups and users access (multiple matches)

If there is a URI that needs to be accessed by a specific group and user, set the Matching Rule Regex to the group name to allow for the policy. The following example sets the Matching Rule option to allow the Group: Admin AND User: test@domain.com.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?=.Admins:)(?=.test@domain.com)

Deny specific groups or users access

If there is a URI that should be accessed by everyone except a certain group, set the Matching Rule Regex to the group name and allow for the policy. The following example sets the Matching Rule option to allow users in any group except the those in Group: Group3.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

Groups=(?!Group3:)

The following example expands on our previous example, setting the Matching Rule option to multiple constraints. If Group: Group3 contains anyone with the UserName= test@domain.com, they will not be allowed to access the URI.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri3

Resource Matching Rule

(?=.Groups=.Group3:)(?=.*UserName=(?!test@domain.com))

Allow or deny specific RemoteIP access

If there is a URI that you only want to be accessed by a specific RemoteIP, set the Matching Rule Regex to the RemoteIP to allow for the policy. The following example sets the Matching Rule option to allow the RemoteIP address 192.168.10.189 access.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri4

Resource Matching Rule

RemoteIP=(?=192\.168\.10\.189)

The following example expands on our previous example, setting the Matching Rule option to allow a range of RemoteIPs. The following example sets the Matching Rule option to allow RemoteIPs within the range of 192.168.10.200 to 192.168.10.250.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri4

Resource Matching Rule

RemoteIP=(?=192.168.10.2([0-4][0-9]|50)

If there is a URI that you would like to deny access to by a specific RemoteIP set the Matching Rule Regex to the RemoteIP to deny for the policy. The following example sets the Matching Rule option to deny the RemoteIP Address 192.168.10.209 access.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri4

Resource Matching Rule

RemoteIP=(?!192.168.10.209)

The following example expands on our previous example, setting the Matching Rule option to deny a range of RemoteIPs. The following example sets the Matching Rule option to deny RemoteIPs within the range of 192.168.10.100 to 192.168.10.200.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri4

Resource Matching Rule

RemoteIP=(?!192.168.10.(1([0-9][0-9])|200)

Allow or deny specific USER_AGENT access

If there is a URI that you only want to be accessed by a specific USER_AGENT (browser) set the Matching Rule Regex to the USER_AGENT to allow for the policy. The following example sets the Matching Rule option to allow the USER_AGENT to only access the URI using Google Chrome.

Field Value

Resource Rule

Protected Rule

Resource Path

/uri5

Resource Matching Rule

USER_AGENT=(?=.*Chrome)

The following example expands on our previous example, instead setting the Matching Rule option to deny USER_AGENT access to Google Chrome forcing access using another agent (browser).

Field Value

Resource Rule

Protected Rule

Resource Path

/uri5

Resource Matching Rule

USER_AGENT=(?!.*Chrome)