Rules

The PingAccess policy manager contains controls for adding and managing rules. Use rules to specify who can access your applications and resources, how and when they can do so, and what modifications should be made to the requested content.

The policy manager is an interface in the PingAccess administrative console where you can create rules, rule sets, and rule set groups, and apply them to applications and application resources. Policies are the rules, rule sets, or groups of rule sets applied to a specific application and its resources. Policies define how and when a client can access target sites.

When a client attempts to access an application resource identified in one of the policy’s rules, rule sets, or rule set groups, PingAccess uses the information within the policy to decide whether the client can access the application resource and whether any additional actions need to occur before granting that access.

For information on how to assign rules, rule sets, and rule set groups, see applying rules to applications and resources.

Rule types

Access control rules

Access control rules can restrict access in a number of ways. For example, an access control rule might:

Test user attributes (for more information, see OAuth attribute rules)
Check the time of day the request was made at (for more information, see time range rules
Request Internet Protocol (IP) addresses (for more information, see network range rules)
Test OAuth access token scopes (for more information, see OAuth scope rules)

Ensure that any headers used in access control rules, such as the X-Forwarded-For header that network range rules use, are sanitized and managed exclusively by inline infrastructure that users must be routed through before reaching PingAccess and the protected applications.

Processing rules

Processing rules can perform request processing. For example, a processing rule might:

Modify headers (for more information, see rewrite response header rules)
Rewrite URLs (for more information, see rewrite URL rules)

Processing order

Access control rules are applied before processing rules. For each type of rule, the rules are applied in the order configured in the policy manager. All rules are evaluated after identity mappings are, so that the rules have access to the request header field set by the identity mapping.

If rules for an application and rules for a resource both apply to a request, PingAccess applies the rules in the following order:

Application access control rules
Resource access control rules
Resource processing rules
Application processing rules

Agent deployments

The following rules aren’t available for agent deployments: