Example Access Gateway policy

This topic provides examples on how to configure various policy access rules. You can configure these rules using the Policy Application Editor.

Protected policy

Field Value
Enabled Policy Enable or disable the policy.
Policy Type Select Protected or Not Protected.
Name A unique name for the policy.
Resource Path The path to the resource that you want this policy to manage.
Description An admin-friendly description.

Protected rule policy

Field Value
Resource Rule Protected Rule.
Name A unique name for the policy.
Resource Path The path to the resource that you want this policy to manage.
Resource Matching Rule This field allows you to define the regular expression for the policy. See Protected Rule resource-matching rule expressions for examples.
Description An admin-friendly description.

Allow access to any authenticated user

This policy allows any authenticated user to access the root URL (/). It's the default rule.

Field Value
Resource Rule Protected Rule
Resource Path /

Allow access to any authenticated user in the IdP Everyone group

If many apps need a deep link to use the default authentication behavior, configure the policy to allow the Everyone group.

Field Value
Resource Rule Protected Rule
Resource Path /custom
Resource Matching Rule Groups=((?=(|.:)Everyone(R|:.*)))

Allow access without the need for authentication

For URLs that everyone needs to access without the need to authenticate, set Resource Rule to Not Protected.

Field Value
Resource Rule Not Protected
Resource Path /public

Allow access to specific users

Allow access to one user

If a specific user needs access to a URL, set the Resource Matching Rule Regex to the username. This example allows the user admin@domain.com to access the URL /uri2.

Field Value
Resource Rule Protected Rule
Resource Path /uri2
Resource Matching Rule UserName=admin@domain.com

All access to multiple users

Use the vertical bar key (|) to separate the usernames. This example allows admin@domain.com and test@domain.com to access the URL.

Field Value
Resource Rule Protected Rule
Resource Path /uri2
Resource Matching Rule UserName=admin@domain.com | test@domain.com

Allow access to specific groups

Allow access to one group

If a specific group needs access to a URI, set the Resource Matching Rule Regex to the group name. This example allows the Admins group to access to the URI /uri3.

Field Value
Resource Rule Protected Rule
Resource Path /uri3
Resource Matching Rule Groups=((?=(|.*:)Admins(\R|:.*)))

Allow access to one group or another

Use the vertical bar key (|) to separate the group names. This is an OR condition. This example allows the Admins OR Managers groups to access the URI.

Field Value
Resource Rule Protected Rule
Resource Path /uri3
Resource Matching Rule Groups=((?=(|.*:)Admins(\R|:.*)))|((?=(|.*:)Managers(\R|:.*)))

Allow access to multiple groups

Use an AND condition. This example allows the Admin AND Managers groups to access the URI. Notice that there's no vertical bar key (|) that separates the group names.

Field Value
Resource Rule Protected Rule
Resource Path /uri3
Resource Matching Rule Groups=((?=(|.*:)Admins(\R|:.*)))((?=(|.*:)Managers(\R|:.*)))

Allow access to specific groups and users with multiple matches

If a specific group and user need access to a URI, set the Resource Matching Rule Regex to the group name and the username. This example allows the Admin group AND the IamIT@domain.tld user to access the URI.

Field Value
Resource Rule Protected Rule
Resource Path /uri3
Resource Matching Rule (?=.*Groups=((?=(|.*:)Admin(\R|:.*))))(?=.*UserName=ImaIT@domain\.tld)

Deny access to specific groups

To allow access to a URI to everyone except those in a certain group, set the Resource Matching Rule Regex to the group name. This example allows users in any group except those in the DeniedGroup group.

Field Value
Resource Rule Protected Rule
Resource Path /uri3
Resource Matching Rule Groups=((?!(|.*:)DeniedGroup(\R|:.*)))

This example sets the Resource Matching Rule option to multiple constraints. If the Admins group contains anyone with UserName=denied@domain.tld, they aren't allowed to access the URI.

Field Value
Resource Rule Protected Rule
Resource Path /uri3
Resource Matching Rule (?=.*Groups=((?=(|.*:)Admins(\R|:.*))))(?=.*UserName=(?!denieduser@domain\.tld))

Allow or deny access to a specific remote IP address

Allow access to one remote IP address

Set the Resource Matching Rule Regex to the remote IP address. This example allows the remote IP address 192.168.10.189 to access the URI.

Field Value
Resource Rule Protected Rule
Resource Path /uri4
Resource Matching Rule RemoteIP=(?=192\.168\.10\.189)

Allow access to a range of remote IP addresses

Set the Resource Matching Rule Regex to apply to a range of remote IP addresses. This example allows remote IP addresses within the range of 192.168.10.200 to 192.168.10.250 to access the URI.

Field Value
Resource Rule Protected Rule
Resource Path /uri4
Resource Matching Rule RemoteIP=(?=192\.168.10.2([0-4][0-9]|50))

Deny access to one remote IP address

Set the Resource Matching Rule Regex to the remote IP address. This example denies access to the URI for the remote IP address 192.168.10.209.

Field Value
Resource Rule Protected Rule
Resource Path /uri4
Resource Matching Rule RemoteIP=(?!192.168.10.209)

Deny access to a range of remote IP addresses

Set the Resource Matching Rule Regex to apply to a range of remote IP addresses. This example denies access to the URI for remote IP addresses in the range of 192.168.10.100 to 192.168.10.200.

Field Value
Resource Rule Protected Rule
Resource Path /uri4
Resource Matching Rule RemoteIP=(?!192\.168\.10\.(1([0-9][0-9])|200))

Allow or deny access to a specific USER_AGENT

You can control which browsers your users can use to access specific resources using a combination of allow and deny settings.

Allow access to a specific USER_AGENT

To restrict access to a URI to a specific USER_AGENT (browser), set the Resource Matching Rule Regex to the USER_AGENT. This example allows the USER_AGENT to only access the URI using Google Chrome.

Field Value
Resource Rule Protected Rule
Resource Path /uri5
Resource Matching Rule USER_AGENT=(?=.*Chrome)

Deny access to a specific USER_AGENT

To deny users from using a specific browser to access a URI, set the Resource Matching Rule Regex to the USER_AGENT. This example blocks users from using Google Chrome to access a URI, which means they must use a different browser.

Field Value
Resource Rule Protected Rule
Resource Path /uri5
Resource Matching Rule USER_AGENT=(?!.*Chrome)