About Access Gateway policy types

Access Gateway supports the following policy types:

  • Protected policy - Requires a valid session (authenticated user) only to access the associated resource.
  • Not Protected policy - Allows everyone access to the associated resource.
  • Protected Rule policy - Requires an a valid session and an expression detailing who can access the resource.
  • Adaptive Rule policy - Extends Not Protected but passes header information to the underlying application.

Protected policy

Protected Policy enforces the existence of a valid Access Gateway application session before allowing user access.
Unless specified otherwise by a more exclusive policy, all application resources are subject to this policy.

Not Protected policy

A Not Protected Policy doesn't enforce the existence of a valid Access Gateway application session. This policy type is typically reserved for anonymous pages that do not require a user identification or are trusted for public consumption.



No header attributes are sent to the back end application when Not Protected Policy is applied.

Protected Rule policy

Protected Rule Policy extends the behavior of a Protected Policy and enables you to narrowly define the access rules (allow or deny) for specific resources. This policy type evaluates the attributes you define in the Attributes menu of the application. Typically, these attributes are sourced from your Okta tenant. Hence, it’s important to understand which user profile data should be used.
Rules are Perl-Compatible Regular Expression Guide(PCRE)-based regular expressions.
See Protected rule resource matching rule expressions for more information on definition protected rule matching expressions.
See Example Access Gateway policy for example rules and associated expressions.

Important Note


Protected Rules use regular expressions which draw on application attributes. In the example provided Groups is such an attribute. When defining protected rule resource matching expressions ensure that all required attributes are previously defined. See Manage application attributes for details of adding application attributes.

Adaptive Rule policy

Adaptive Rule Policy extends the behavior of the Not Protected policy but provides the underlying application all application headers.