Access policies

Use Access Gateway to configure one or more access policies per application. Policies are applied to URL resources within an application and you can set them to allow or deny:

  • Access to an application by any authenticated user (default).
  • No authentication access (to anyone) for an application.
  • Specific users to access an application.
  • Specific groups to access an application.
  • Access to an application based on any IdP user profile attribute.
  • Granular access based on application URLs or deep links.
  • Custom access based on advanced configuration.

Policy composition

Policy is composed of three elements:

  • Resources - The elements of an application where a policy is applied.
  • Session Data - The application data used to assist making policy decisions.
  • Policy Rules - A set of rules combining resources and session data and determining access rights.

Resources

Policies are meant to protect resources, and resources are typically defined as application URLs. Access Gateway resources can use patterns to match dynamic or expressive application URLs and can be refined further to identify matching semantics.

Access Gateway uses location matching to provide resource matching. It's implemented using the following logic:

location <URL matching pattern>{ #rule comment <policy rule>'REGEX'(Against Session Data); }

Session Data

Access Gateway generates a server-side session after authenticating a user. The session is transitory and only lasts for the duration of the user’s session. The session holds key/value pairs. These pairs typically originate from the IDP Repository. The session data is used to match (Regex) against when constructing the allow rules.

Example Session: 'UserName=test.user@domain.com RemoteIP=68.203.82.29 RelayDomain=app1.oagwdev.2.domain.com firstName=Test lastName=User department=123 Groups=Test Group:Test Admin Group:Test Authorizer Group:Everyone:'

The result of each policy is audited and can be viewed in the Access Gateway Management console monitoring menu.

Use the Regex Expression Tool for more information on REGEX or to test/compare policy expression against session data.

Policy Rules

Access Gateway uses Perl-Compatible Regular Expressions (PCRE) for the Protected Rules.

Rule Description
Protected

Access Gateway requires an authenticated user session.

Not Protected

Access Gateway doesn't enforce a user session. Note that headers are not passed to the application with Not Protected policies.

Protected Rule

Access Gateway requires a user session. Regex matches against session data. If the REGEX finds your expression, Access Gateway allows or denies access to the location.

Adaptive Rule

Behavior is identical to Not Protected but also provides headers.