Example Access Gateway policy
This topic provides examples on how to configure various policy access rules. You can configure these rules using the Policy Application Editor.
- Protected policy
- Protected rule policy
- Allow access to any authenticated user
- Allow access to any authenticated user in the IdP Everyone group
- Allow access without the need for authentication
- Allow access to specific users
- Allow access to specific groups
- Allow access to specific groups and users with multiple matches
- Deny access to specific groups
- Allow or deny access to a specific remote IP address
- Allow or deny access to a specific USER_AGENT
Protected policy
| Field | Value |
|---|---|
| Enabled Policy | Enable or disable the policy. |
| Policy Type | Select Protected or Not Protected. |
| Name | A unique name for the policy. |
| Resource Path | The path to the resource that you want this policy to manage. |
| Description | An admin-friendly description. |
Protected rule policy
| Field | Value |
|---|---|
| Resource Rule | Protected Rule. |
| Name | A unique name for the policy. |
| Resource Path | The path to the resource that you want this policy to manage. |
| Resource Matching Rule | This field allows you to define the regular expression for the policy. See Protected rule resource matching rule expressions for examples. |
| Description | An admin-friendly description. |
Allow access to any authenticated user
This policy allows any authenticated user to access the root URL (/). It's the default rule.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | / |
Allow access to any authenticated user in the IdP Everyone group
If many apps need a deep link to use the default authentication behavior, configure the policy to allow the Everyone group.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /custom |
| Resource Matching Rule | Groups=((?=(|.:)Everyone(R|:.*))) |
Allow access without the need for authentication
For URLs that everyone needs to access without the need to authenticate, set Resource Rule to Not Protected.
| Field | Value |
|---|---|
| Resource Rule | Not Protected |
| Resource Path | /public |
Allow access to specific users
Allow access to one user
If a specific user needs access to a URL, set the Resource Matching Rule Regex to the username. This example allows the user admin@domain.com to access the URL /uri2.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri2 |
| Resource Matching Rule | UserName=admin@domain.com |
All access to multiple users
Use the vertical bar key (|) to separate the usernames. This example allows admin@domain.com and test@domain.com to access the URL.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri2 |
| Resource Matching Rule | UserName=admin@domain.com | test@domain.com |
Allow access to specific groups
Allow access to one group
If a specific group needs access to a URI, set the Resource Matching Rule Regex to the group name. This example allows the Admins group to access to the URI /uri3.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri3 |
| Resource Matching Rule | Groups=((?=(|.*:)Admins(\R|:.*))) |
Allow access to one group or another
Use the vertical bar key (|) to separate the group names. This is an OR condition. This example allows the Admins OR Managers groups to access the URI.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri3 |
| Resource Matching Rule | Groups=((?=(|.*:)Admins(\R|:.*)))|((?=(|.*:)Managers(\R|:.*))) |
Allow access to multiple groups
Use an AND condition. This example allows the Admin AND Managers groups to access the URI. Notice that there's no vertical bar key (|) that separates the group names.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri3 |
| Resource Matching Rule | Groups=((?=(|.*:)Admins(\R|:.*)))((?=(|.*:)Managers(\R|:.*))) |
Allow access to specific groups and users with multiple matches
If a specific group and user need access to a URI, set the Resource Matching Rule Regex to the group name and the username. This example allows the Admin group AND the IamIT@domain.tld user to access the URI.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri3 |
| Resource Matching Rule | (?=.*Groups=((?=(|.*:)Admin(\R|:.*))))(?=.*UserName=ImaIT@domain\.tld) |
Deny access to specific groups
To allow access to a URI to everyone except those in a certain group, set the Resource Matching Rule Regex to the group name. This example allows users in any group except those in the DeniedGroup group.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri3 |
| Resource Matching Rule | Groups=((?!(|.*:)DeniedGroup(\R|:.*))) |
This example sets the Resource Matching Rule option to multiple constraints. If the Admins group contains anyone with UserName=denied@domain.tld, they aren't allowed to access the URI.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri3 |
| Resource Matching Rule | (?=.*Groups=((?=(|.*:)Admins(\R|:.*))))(?=.*UserName=(?!denieduser@domain\.tld)) |
Allow or deny access to a specific remote IP address
Allow access to one remote IP address
Set the Resource Matching Rule Regex to the remote IP address. This example allows the remote IP address 192.168.10.189 to access the URI.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri4 |
| Resource Matching Rule | RemoteIP=(?=192\.168\.10\.189) |
Allow access to a range of remote IP addresses
Set the Resource Matching Rule Regex to apply to a range of remote IP addresses. This example allows remote IP addresses within the range of 192.168.10.200 to 192.168.10.250 to access the URI.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri4 |
| Resource Matching Rule | RemoteIP=(?=192\.168.10.2([0-4][0-9]|50)) |
Deny access to one remote IP address
Set the Resource Matching Rule Regex to the remote IP address. This example denies access to the URI for the remote IP address 192.168.10.209.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri4 |
| Resource Matching Rule | RemoteIP=(?!192.168.10.209) |
Deny access to a range of remote IP addresses
Set the Resource Matching Rule Regex to apply to a range of remote IP addresses. This example denies access to the URI for remote IP addresses in the range of 192.168.10.100 to 192.168.10.200.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri4 |
| Resource Matching Rule | RemoteIP=(?!192\.168\.10\.(1([0-9][0-9])|200)) |
Allow or deny access to a specific USER_AGENT
You can control which browsers your users can use to access specific resources using a combination of allow and deny settings.
Allow access to a specific USER_AGENT
To restrict access to a URI to a specific USER_AGENT (browser), set the Resource Matching Rule Regex to the USER_AGENT. This example allows the USER_AGENT to only access the URI using Google Chrome.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri5 |
| Resource Matching Rule | USER_AGENT=(?=.*Chrome) |
Deny access to a specific USER_AGENT
To deny users from using a specific browser to access a URI, set the Resource Matching Rule Regex to the USER_AGENT. This example blocks users from using Google Chrome to access a URI, which means they must use a different browser.
| Field | Value |
|---|---|
| Resource Rule | Protected Rule |
| Resource Path | /uri5 |
| Resource Matching Rule | USER_AGENT=(?!.*Chrome) |