Access policies
Policies let you control access to an app URL. You can allow or deny access to individual users or groups and configure custom access in advanced configurations.
App policies inherit the original group specified in the app's Essentials tab. Access Gateway checks this group setting before applying an access policy to an app's URI and allows or denies access to the app accordingly. See Application essentials.
Policy composition
Policy is composed of three elements:
- Resources - The elements of an application where a policy is applied.
- Session Data - The application data used to assist making policy decisions.
- Policy Rules - A set of rules combining resources and session data and determining access rights.
Resources
Policies are meant to protect resources, and resources are typically defined as application URLs. Access Gateway resources can use patterns to match dynamic or expressive application URLs and can be refined further to identify matching semantics.
Access Gateway uses location matching to provide resource matching. It's implemented using the following logic:
location <URL matching pattern>{ #rule comment <policy rule>'REGEX'(Against Session Data); }See NGINX Module Guide.
Session Data
Access Gateway generates a server-side session after authenticating a user. The session is transitory and only lasts for the duration of the user's session. The session holds key/value pairs. These pairs typically originate from the IDP Repository. The session data is used to match (Regex) against when constructing the allow rules.
Example Session: 'UserName=test.user@domain.com RemoteIP=68.203.82.29 RelayDomain=app1.oagwdev.2.domain.com firstName=Test lastName=User department=123 Groups=Test Group:Test Admin Group:Test Authorizer Group:Everyone:'The result of each policy is audited and can be viewed in the Access Gateway Management console monitoring menu.
Use the Regex Expression Tool for more information on REGEX or to test/compare policy expression against session data.
Policy Rules
Access Gateway uses Perl-Compatible Regular Expressions (PCRE) for the Protected Rules.
| Rule | Description |
|---|---|
| Protected |
Access Gateway requires an authenticated user session. |
| Not Protected |
Access Gateway doesn't enforce a user session. Note that headers are not passed to the application with Not Protected policies. |
| Protected Rule |
Access Gateway requires a user session. Regex matches against session data. If the REGEX finds your expression, Access Gateway allows or denies access to the location. |
| Adaptive Rule |
Behavior is identical to Not Protected but also provides headers. |