Rules are used to control the circumstances under which users can access the protected API. Rules can grant or deny access based on criteria such as user parameters from the token provider, header values, network ranges, or web session attributes. You can configure any number of rules in your environment.
You can combine rules into rule sets, which combine multiple rules. You can configure rule sets to allow access to a resource if at least one rule's criteria is met, or to only allow access if all rules have their criteria met. Access control rules are processed before processing rules. Each type of rule is otherwise processed in the order you specify when you create the rule set.
You can further combine rule sets into rule set groups, which combine multiple rule sets. As with rule sets, rule set groups can allow access if any one rule set's criteria are met, or only if all rule sets' criteria are met. Rule sets are processed in the order you specify when you create the rule set group.
This example uses an
- Click Access and then go to .
- Click + Add Rule.
- In the Name field, enter a unique name. The name can be up to 64 characters long. Special characters and spaces are allowed.
- From the Type menu, select HTTP Request Header.
In the Field column, in the
Header field, enter the
HTTP headername you want to match in order to grant or not grant the client access. HTTP header A section of an HTTP request or response that conveys additional information relevant to the client or server in the transaction.
In the Value field, enter the values for the header you
want to match in order to grant or not grant the client access. The wildcard (*)
character is supported.
Tip: If you want to match on the
Hostheader, include both the host and port in the Value field, or add a wildcard after the host name (
host:*) to match what is in the HTTP request.
- If you need additional header pairs, click Add Row to add an additional row, then repeat steps 5-6.
- Click Save.