Access control rules

You may need a layer of security that regulates which users or devices can view your domain’s content.

In Enterprise Application Access (EAA), you can create an access control rule to block or deny access to an application based on these criteria:

Access control rules
Access control type Description
URL The web address or path requested by the end user.
Group The group that a user belongs to.
User The username assigned to the end user
Method An HTTP method such as GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, CONNECT, or an Other method for any custom method that is used for the application.
Client IP The IP address of the client that you want to restrict
Country The country where you want to prevent the end user from accessing the application.
Time The days of the week and the exact times (based on time zone) that you want to restrict access.
Note: This access control type is available with HTTP/HTTPS applications only.
Note: If you're having access to Device Posture, you can also set device risk assessments with risk tiers, risk tags and versions. See Configure device risk assessments.

For every rule you create, you select the access control type, an operator, and then define the values for the selected type. You can choose whether an operator is or is not is restricted as a control type.

The following further applies about rules:
  • By default, access control rules are disabled for an application. You must enable the feature and then configure the rules and the criteria you require.
  • A rule can contain one criterion or multiple criteria. The criteria you provide in a rule are combined with an AND operator. For example, with the following criteria, the conditions are combined to block User A from accessing the application from 1am to 2 am on a Saturday.

  • If multiple rules are created for an application, these rules are combined with the OR operator. This allows you to use the same control types in multiple expressions and ensure there is no conflict.

    For example, as shown in the figure, if User A attempts to access the application between 1 am and 2 am or 11 pm and 12 am EST on a Saturday, they are denied access.

  • Access control rules are not applied to an application until you deploy or redeploy the application.

When an end user is denied access as a result of an access control rule, an HTTP 403 Forbidden error message appears. See Application response codes, login events, and errors.