Policy Examples

  • Updated on Sep 27, 2022
  • 12 minutes to read
  • Contributors

Overview

To help you understand how to create and manage policies, we’ve created examples of common use cases in our product. Please refer to our Manage Policies documentation for explanations of each setting within the policies.

Web Policy Examples

Web policies define user access to hosted websites based on roles, Trust Level, and website endpoints (Layer 7 networking) through an Access Tier.

Use Case: Limiting Hosted Website use based on user-defined attributes

“As an admin, I have been asked to limit the use of a Hosted Website’s admin and login pages based on attributes, defined by the Roles created in the Command Center”.

The request is as follows:

  • users with the Role AdminsCorpDevice and a High Trust Level are able to access admin and login pages
  • users with the Role UserRegisteredDevice are allowed to access the website, if, and only if, their devices maintain a High Trust Level. They will, however, be unable to access admin and login endpoints.
  • users with the Role ContractorsAnyDevice are allowed to access the website, if, and only if, their devices maintain a High Trust Level. They will, however, be unable to access admin and login endpoints.

Here is a configuration of the Web Policy that will deliver the above requirements:

(1) Navigate from Secure Access > Policies, and then select + Create Policy.

(2) Select the Web Policy template.

(3) Under Policy Details, configure the Policy Name and Description.

(4) Configure two Access Groups:

Access Group #1:

(i) Select the Role(s) named UsersRegisteredDevice and ContractorsAnyDevice for web access.

(ii) Select High Trust levels only as the Trust Level.

(iii) Configure two Rules:

Rule 1:

(a) Under ‘Action(s)’, select ‘*’ to allow all actions.

(b) Under ‘Resource(s)’, select ‘*’ to allow access to all resources.

Rule 2:

(a) Under ‘Action(s)’, select ‘*’ to allow all actions.

(b) Under ‘Resource(s)’, configure ‘!wp-admin*’ AND ‘!wp-login’ to allow access to all pages, except the admin and login pages.

Access Group #2:

(i) Select the Role named AdminsCorpDevice for web access.

(ii) Select High Trust levels only as the Trust Level.

(iii) Configure the following Rule:

Rule 1:

(a) Under ‘Action(s)’, select ‘’ to allow all actions. (b) Under ‘Resource(s)’, configure ‘’ to allow access to all resources.

(5) Select Create Policy.

Infrastructure Policy Examples

Infrastructure policies define user access to any infrastructure service based on roles and trust levels. This type of policy can be used for any TCP services, such as an SSH service, RDP service, Kubernetes service, or Database service.

Use Case: Limiting SSH access to a bastion host based on user-defined attributes

“As an admin, I have been asked to limit SSH access to a bastion host based on different attributes defined by the Roles created in the Command Center.”

The request is as follows:

  • users with the Role UserRegisteredDevice are allowed to access the server if their devices maintain a Medium or High Trust Level
  • users with the Role TempRole are allowed to access the server if their devices maintain a Medium or High Trust Level
  • users with the Role AdminsCorpDevice is allowed to access the server if their devices maintain Medium or High Trust Level

Here is a configuration of the Infrastructure Policy that will deliver the above requirements:

(1) Navigate from Secure Access > Policies, and then select + Create Policy.

(2) Select the Infrastructure Policy template.

(3) Under Policy Details, enter the Policy Name and Description.

(4) Select the Role(s) named UsersRegisteredDevice, TempRole, and AdminsCorpDevice for infrastructure access.

(5) Select Medium or High Trust Levels Only as the Trust Level.

(6) Select Create Policy.

Tunnel Policy Examples

Tunnel policies define user access to network locations based on CIDR ranges, ports, and protocols from a Service Tunnel.

Use Case: Limiting access to a file server based on user-defined attributes

“As an admin, I have been asked to limit access to a file server based on different attributes defined by the Roles created in the Command Center.”

The request is as follows:

  • users with an AdminsCorpDevice role and Medium to High Trust Levels are able to access the file server (10.138.0.14) on all protocols and ports 135-139, 445.
  • users with the UserRegisteredDevice role are allowed the same access as above.
  • users with the ContractorsAnyDevice role are allowed the same access as above.
  • All users and devices that fall under these three roles are denied access to the file server on TCP port 3389 (to prevent RDP access).

Here is a configuration of the Tunnel Policy that will deliver the above requirements:

(1) Navigate from Secure Access > Policies, and then select + Create Policy.

(2) Select the Tunnel Policy template.

(3) Under Policy Details, enter the Policy Name and Description.

(4) Configure the Access Group:

(a) Select the Role(s) named UsersRegisteredDevice, TempRole, and AdminsCorpDevice for tunnel access.

(b) Select Medium or High Trust Levels Only as the Trust Level.

(c) Under ‘Only allow the following Protocol(s)’, select ALL.

(d) Under ‘Only allow the following CIDR(s)’, define the respective CIDR(s) for access.

(e) Under the ‘Only allow the following Port(s)’, define 445 and 135-139 (as these are FTP ports).

(f) Select ‘Add exceptions (DENY rules) for Protocols, CIDRs, and Ports to configure the Except rules (to deny RDP access to this file server):

(i) Under ‘Except the following Protocol(s)’, select TCP.

(ii) Under ‘Except the following CIDR(s)’, define the respective CIDR(s) for deny.

(iii) Under ‘Except the following Port(s)’, define 3389 (as it is the RDP port).

(5) Select Create Policy.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.