---
title: Rules
description: The PingAccess policy manager contains controls for adding and managing rules. Use rules to specify who can access your applications and resources, how and when they can do so, and what modifications should be made to the requested content.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_rules
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_rules.html
revdate: March 11, 2024
section_ids:
  rule-types: Rule types
  processing-order: Processing order
  agent-deployments: Agent deployments
---

# Rules

The PingAccess policy manager contains controls for adding and managing rules. Use rules to specify who can access your applications and resources, how and when they can do so, and what modifications should be made to the requested content.

The policy manager is an interface in the PingAccess administrative console where you can create rules, [rule sets](pa_rule_sets.html), and [rule set groups](pa_rule_set_groups.html), and apply them to [applications](pa_applications_operations.html) and [application resources](pa_application_resources.html). Policies are the rules, rule sets, or groups of rule sets applied to a specific application and its resources. Policies define how and when a client can access target sites.

When a client attempts to access an application resource identified in one of the policy's rules, rule sets, or rule set groups, PingAccess uses the information within the policy to decide whether the client can access the application resource and whether any additional actions need to occur before granting that access.

For information on how to assign rules, rule sets, and rule set groups, see [applying rules to applications and resources](pa_applying_rules_to_apps_and_resources.html).

## Rule types

* Access control rules

  [Access control rules](pa_access_control_rules.html) can restrict access in a number of ways. For example, an access control rule might:

  * Test user attributes (for more information, see [OAuth attribute rules](pa_adding_oauth_attribute_rules.html))

  * Check the time of day the request was made at (for more information, see [time range rules](pa_adding_time_range_rules.html)

  * Request Internet Protocol (IP) *(tooltip: \<div class="paragraph">
    \<p>The method by which data is sent across the internet from the source host to the destination host.\</p>
    \</div>)* addresses (for more information, see [network range rules](pa_adding_network_range_rules.html))

  * Test OAuth *(tooltip: \<div class="paragraph">
    \<p>A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\</p>
    \</div>)* access token scopes (for more information, see [OAuth scope rules](pa_adding_oauth_scope_rules.html))

  |   |                                                                                                                                                                                                                                                                                      |
  | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
  |   | Ensure that any headers used in access control rules, such as the `X-Forwarded-For` header that network range rules use, are sanitized and managed exclusively by inline infrastructure that users must be routed through before reaching PingAccess and the protected applications. |

* Processing rules

  [Processing rules](pa_creating_processing_rules.html) can perform request processing. For example, a processing rule might:

  * Modify headers (for more information, see [rewrite response header rules](pa_adding_rewrite_response_header_rules.html))

  * Rewrite URLs (for more information, see [rewrite URL rules](pa_adding_rewrite_url_rules.html))

## Processing order

Access control rules are applied before processing rules. For each type of rule, the rules are applied in the order configured in the policy manager. All rules are evaluated after [identity mappings](pa_identity_mappings.html) are, so that the rules have access to the **request header** field set by the identity mapping.

If rules for an application and rules for a resource both apply to a request, PingAccess applies the rules in the following order:

1. Application access control rules

2. Resource access control rules

3. Resource processing rules

4. Application processing rules

## Agent deployments

The following rules aren't available for agent deployments:

* [Adding PingAuthorize response filtering rules](pa_adding_pingauthz_response_filtering_rules.html)

* [Rewrite content rules](pa_adding_rewrite_content_rules.html)

* [Rewrite cookie domain rules](pa_adding_rewrite_cookie_domain_rules.html)

* [Rewrite cookie path rules](pa_adding_rewrite_cookie_path_rules.html)

* [Rewrite response header rules](pa_adding_rewrite_response_header_rules.html)

* [Rewrite URL rules](pa_adding_rewrite_url_rules.html)