Protected rule resource matching rule expressions

Protected Policy rules require a resource matching rule to determine if a end user matches a rule. Resource matching rules are based on regular expression which can be very complex.

Access Gateway provides a set of menu items with common baseline expressions, which can be selected and then modified to meet a specific need.

Modifying a protected rule based on a provided expression

To modify a protected rule:

  1. Navigate to the Access Gateway Admin UI console.
  2. Select the Applications tab.

  3. Select an application that contains an existing or needs a new protected rule and click Edit.

  4. Select the Policies sub-tab.
  5. Select an existing Protected Rule and click edit.
    Alternatively create a new Protected Rule.
    For details of adding a new Protected Rule see Managing Application Policy.
  6. Click the policy menu and select one of the Predefined policies, then click Use this.

  7. Modify the policy as required.

Predefined policies

The following predefined policies are provided:

Policy Description
Allow Group Allows access to the given resource if the end user is a member of the single specified group.
Example: Groups=(?=.*Everyone:)
Deny Group Denies access to the given resource if the end user is a member of the single specified group.
Example: Groups=(?!.*Everyone:)
Allow RemoteIP Allows access to the given resource if the end users IP matches the provided regular expression.
Example: RemoteIP=(?=192\..*)
Deny RemoteIP Denies access to the given resource if the end users IP matches the provided regular expression.
Example: RemoteIP=(?!192\..*)
Allow OR Groups Allow access to resource if user has group membership to one OR another group.
Example: Groups=(?=.*Everyone:)|(?=.*Group2:)
Allow AND Groups Allow access to resource if user has group membership to one AND another group.
Example: Groups=(?=.*Everyone:)(?=.*Group2:)

Allow User

Allow access to resource if UserName matches.
Example: UserName=user@example.com

Deny User

Deny access to resource if UserName matches.
Example: UserName=(?!test@example.com)

Allow Group AND User

Allow access to resource if user has group membership AND UserName matches.
Example: (?=.*Groups=(?=.*Everyone:))(?=.*UserName=user1@domain.tld)

Allow Group AND Deny User

Allow access to resource if user has group membership AND UserName is not matches.
Example: (?=.*Groups=.*Everyone:)(?=.*UserName=(?!user3@domain.tld))

Once selected the expression can be modified to meet a specific need.

Resource Matching Rule fields

Resource matching rules are regular expressions based on application attributes. Predefined polices use attributes such as Groups, UserName and RemoteIP . Any application attribute can be used in a resource matching rule. Common attribute mappings include:

Data Source Field Name
IDP Groups Groups
IDP email UserName

IDP

login

login

Provided and not required to be defined as attributes. RemoteIP
USER_AGENT
Note

Note

Attributes used exclusively in resource matching rules should be Send Attribute disabled.

Related topics

Example Access Gateway policy

Managing Application Policy