PingAccess contains controls for adding and managing rules. Rules let you specify who can access your applications and resources, how and when they can do so, and what modifications should be made to the requested content.
The Policy Manager is an interface where you manage policies by creating rules, building rule sets and rule set groups, and applying them to applications and resources. Policies are rules, sets of rules, or groups of rule sets applied to an application and its resources. Policies define how and when a client can access target sites. When a client attempts to access an application resource identified in one of the policy's rules, rule sets, or rule set groups, PingAccess uses the information contained in the policy to decide whether the client can access the application resource and whether any additional actions need to take place prior to granting access.
Access control rules can restrict access in a number of ways, such as testing user attributes, testing the time of day, requesting IP addresses, or testing OAuth access token scopes.
Ensure that any headers used in access control rules, such as
X-Forwarded-For, which is used by network range rules, are
sanitized and managed exclusively by inline infrastructure that users must be routed
through before reaching PingAccess and the protected applications.
Processing rules cannot be used with agents.
Access control rules are applied before processing rules. For each type of rule, the rules are applied in the order configured in the user interface. All rules are evaluated after identity mappings, so rules have access to the request header field set by the identity mapping.
If rules for an application and rules for a resource both apply to a request, the following order is used:
- Application access control rules
- Resource access control rules
- Resource processing rules
- Application processing rules