About Access Gateway policy

Access Gateway includes the ability to configure one or more access policies per application. Policies are applied to URI resources within an application and can be set to achieve the following:

  • Allow access to an application by any authenticated user (default).

  • Allow no authentication access (to anyone) for an application.

  • Allow specific user(s) access to an application.

  • Allow specific group(s) access to an application.

  • Allow access to an application based on any IDP user profile attribute.

  • Allow granular access based on an application URI(s) or deep link(s).

Policy Composition

Policy is composed of three elements:

  • Resources - the elements of an application where policy is applied.
  • Session Data - Application data used to assist in making policy decisions.
  • About Access Gateway policy - A set of rules combining resources and session data and determining access rights.

Resources

Policies are meant to protect resources, and resources are typically defined as application URIs. Access Gateway resources can use patterns to match dynamic or expressive application URIs, and can be refined further to identify matching semantics.

Access Gateway uses location matching to provide resource matching. It is implemented using the following logic:

location <URL matching pattern>{
    #rule comment
    <policy rule>'REGEX'(Against Session Data);
}
Tip

Tip

For more information see, NGINX Module Guide.

Session Data

Access Gateway generates a server-side session after authenticating a user. The session is transitory and will only last for the duration of the user’s session. The session holds key/value pairs. These pairs typically originate from the IDP Repository. This session data is used to match (Regex) against when constructing the allow rules.

Example Session:
'UserName=test.user@domain.com RemoteIP=68.203.82.29 RelayDomain=app1.oagwdev.2.domain.com firstName=Test lastName=User department=123 Groups=Test  Group:Test Admin  Group:Test Authorizer Group:Everyone:'
            
Info

Note

The result of each policy is audited and can be viewed in the Access Gateway Management Console Monitoring Menu.

For more information on REGEX or to test/compare policy expression against session data, use the Regex Expression Tool.

Policy Rules

Access Gateway uses Perl-Compatible Regular Expressions (PCRE) for the Protected Rules.

Rule Description

Protected

Access Gateway requires an authenticated user session.

Not Protected

Access Gateway will not enforce a user session. Note that headers are not passed to the application with Not Protected policies.

Protected Rule

Access Gateway will require a user session. Regex will match against session data. If the REGEX finds your expression Access Gateway will allow or deny access to the location.

Adaptive Rule

Behavior is identical to Not Protected but also provides headers.

Tip

Tip

For more information reference the Perl-Compatible Regular Expression Guide.