Protected rule resource matching rule expressions
Protected Policy rules require a resource matching rule to determine if an end user matches a rule. Resource matching rules are based on regular expression which can be very complex.
Access Gateway provides a set of menu items with common baseline expressions, which can be selected and then modified to meet a specific need.
Modifying a protected rule based on a provided expression
To modify a protected rule:
- Navigate to the Access Gateway Admin UI console.
-
Select the Applications tab.
-
Select an application that contains an existing or needs a new protected rule and click Edit.
- Select the Policies sub-tab.
- Select an existing Protected Rule and click edit.
Alternatively create a new Protected Rule.
For details of adding a new Protected Rule see Manage application policy. - Click the policy menu and select one of the Predefined policies, then click Use this.
- Modify the policy as required.
Predefined policies
The following predefined policies are provided:
| Policy | Description |
|---|---|
| Allow Group | Allows access to the given resource if the end user is a member of the single specified group. Example: Groups=((?=(|.:)Everyone(R|:.*))) |
| Deny Group | Denies access to the given resource if the end user is a member of the single specified group. Example: Groups=((?!(|.*:)Everyone(\R|:.*))) |
| Allow RemoteIP | Allows access to the given resource if the end users IP matches the provided regular expression. Example: RemoteIP=(?=192\..*) |
| Deny RemoteIP | Denies access to the given resource if the end users IP matches the provided regular expression. Example: RemoteIP=(?!192\..*) |
| Allow OR Groups | Allow access to resource if user has group membership to one OR another group. Example: Groups=((?=(|.*:)Everyone(\R|:.*)))|((?=(|.*:)Group2(\R|:.*))) |
| Allow AND Groups | Allow access to resource if user has group membership to one AND another group. Example: Groups=((?=(|.*:)Everyone(\R|:.*)))((?=(|.*:)Group2(\R|:.*))) |
|
Allow User |
Allow access to resource if UserName matches. |
|
Deny User |
Deny access to resource if UserName matches. |
|
Allow Group AND User |
Allow access to resource if user has group membership AND UserName matches. |
|
Allow Group AND Deny User |
Allow access to resource if user has group membership AND UserName is not matches. |
Once selected the expression can be modified to meet a specific need.
Resource Matching Rule fields
Resource matching rules are regular expressions based on application attributes. Predefined polices use attributes such as Groups, UserName and RemoteIP . Any application attribute can be used in a resource matching rule. Common attribute mappings include:
| Data Source | Field | Name |
|---|---|---|
| IDP | Groups | Groups |
| IDP | UserName | |
|
IDP |
login |
login |
| Provided and not required to be defined as attributes. | RemoteIP
USER_AGENT |
|
Note
Attributes used exclusively in resource matching rules should be Send Attribute disabled. 