Access control rules

The IT administrator can select the Access control option in an EAA application to deny access to all users, like a blacklist access model. You may need a layer of security that regulates which users or groups can view your domain’s content. See Create and edit access control rules for more information.

In EAA Client, you can create an access control rule to block or deny access to an application or multiple applications based on these criteria:

Access control rules
Access control type Description
URL The web address or path requested by the user.
Group The group that a user belongs to.
User The username assigned to the end user
Method An HTTP method such as GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, CONNECT, or an other custom method that is used for the application.
Client IP The IP address of the client that you want to restrict.
Country The country where you want to prevent the end user from accessing the application.
Time The days of the week and the exact times (based on time zone) that you want to restrict access.
Note: This access control type is available with HTTP/HTTPS applications only.
App Host The hostname of the application server. Applies to tunnel-type client-access applications only.
App Port The port number of the application server. Applies to tunnel-type client-access applications only.
App Protocol Select TCP or UDP protocol. Applies to tunnel-type client-access applications only.
Note: For limitation of access control rules, see Access control list limitations

For every rule you create, you select the access control type, an operator, and define the values for the selected type. You can choose whether an operator is or is not is restricted as a control type.

By default, access control rules are disabled for an application. All users can access an application. You must enable the feature and then configure the rules and criteria you require.

For tunnel-type client-access applications, there may be multiple applications within the domain. For example, the IT administrator may want to deny access to UDP applications for the finance team. The rule would be set as:


Access control rules are not applied to an application until you deploy or redeploy the application.