Learn About Access Gateway policy

Access Gateway includes the ability to configure one or more access policies per application. Policies are applied to URI resources within an application and can be set to achieve the following:

Policy Composition

Policy is composed of three elements:


Policies are meant to protect resources, and resources are typically defined as application URIs. Access Gateway resources can use patterns to match dynamic or expressive application URIs, and can be refined further to identify matching semantics.

Access Gateway uses location matching to provide resource matching. It is implemented using the following logic:

location <URL matching pattern>{
    #rule comment
    <policy rule>'REGEX'(Against Session Data);


For more information see, NGINX Module Guide.

Session Data

Access Gateway generates a server-side session after authenticating a user. The session is transitory and will only last for the duration of the user’s session. The session holds key/value pairs. These pairs typically originate from the IDP Repository. This session data is used to match (Regex) against when constructing the allow rules.

Example Session:
'UserName=test.user@domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)..com RemoteIP= RelayDomain=app1.oagwdev.2.domain.com firstName=Test lastName=User department=123 GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.=Test  Group:Test AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.  Group:Test Authorizer Group:Everyone:'


The result of each policy is audited and can be viewed in the Access Gateway Management Console Monitoring Menu.

For more information on REGEX or to test/compare policy expression against session data, use the Regex Expression Tool.

Policy Rules

Access Gateway uses Perl-Compatible Regular Expressions (PCRE) for the Protected Rules.

Rule Description


Access Gateway requires an authenticated user session.

Not Protected

Access Gateway will not enforce a user session. Note that headers are not passed to the application with Not Protected policies.

Protected Rule

Access Gateway will require a user session. Regex will match against session data. If the REGEX finds your expression Access Gateway will allow or deny access to the location.

Adaptive Rule

Behavior is identical to Not Protected but also provides headers.



For more information reference the Perl-Compatible Regular Expression Guide.