Create Login Restriction Policy entries

The following topics provide the instructions for creating and editing Login Restriction Policies. The instructions for adding, editing, enabling, disabling, and deleting policy rules are also provided.

Related topic:

Creating a Login Restriction Policy

Use the following instructions to create a Login Restriction Policy:

  1. Click New Login Restriction Policy on the Login Restriction Policies for End Users page.
  2. The New Login Restriction Policy entry page is displayed.
  3. Enter a Policy Name.
  4. Select a Policy Type.
  5. If the selected Login Restriction Policy Type is ALLOW_THEN_DENY, then login access is denied by default unless some ALLOW rule matches and no DENY rule matches.
  6. If the selected Login Restriction Policy Type is DENY_THEN_ALLOW, then login access is allowed by default unless some DENY rule matches and no ALLOW rule matches.
  7. (Optional) Assign Business Units to the Login Restriction Policy.
  8. (Optional) Enter a Policy Description.
  9. Add Policy Rules to the Login Restriction Policy.
  10. For instructions on adding Policy Rules to the Login Restriction Policy, refer to Adding a policy rule.
  11. Note Policy Rules are enabled by default.
  12. Click Save Policy.

Editing a Login Restriction Policy

Use the following instructions to edit an existing Login Restriction Policy:

  1. Click on the Policy Name to edit the selected Login Restriction Policy on the Login Restriction Policies for End Users page.
  2. The Edit Login Restriction Policy entry page will be displayed.
  3. Make the desired edits to the selected Login Restriction Policy.
  4. For additional information, refer to Creating a Login Restriction Policy.
  5. Click Save Policy.

Adding a policy rule

Use the following instructions to add a policy rule to Login Restriction Policy.

  1. Click New Rule.
  2. The New Rule fields open on List of Rules pane.
  3. Enter a policy rule Name.
  4. Select a policy rule Type.
  5. If Allow is selected, the policy rule is set to Allow the Client Address.
  6. If Deny is selected, the policy rule is set to Deny the Client Address.
  7. Enter a Client Address for the policy rule. Valid client address types are:
    • Allow All: Use asterisk (*) to allow all client addresses.
    • IPv4 address: Use an exact IPv4 to specify a single host.
    • Examples:
    • 172.23.34.45; 127.0.0.1;
    • IPv6 address: Use an exact IPv6 to specify a single host (two colons (::) can represent one sequence of zero bits).
    • Examples:
    • FC00:1234:56:0:0:0:AB:EF; FC00:1234:56::AB:EF; ::1
    • IPv4 CIDR: Classless Inter-Domain Routing (CIDR) notation specifies an IPv4 address and a number of significant bits separated by a slash (/). Use CIDR notation to represent a range of IP addresses.
    • Examples:
    • 172.23.34.0/24 represents 172.23.34.0 through 172.23.34.255
    • IPv6 CIDR: Classless Inter-Domain Routing (CIDR) notation specifies an IPv6 address and a number of significant bits separated by a slash (/). Use CIDR notation to represent a range of IP addresses.
    • Examples:
    • FC00:1234:56::/120 represents FC00:1234:56:: through FC00:1234:56::FF
    • Specific host name: Use a literal host name to represent a single host where host names are valid. The host name must resolve to a valid IPv4 or IPv6 address.
    • Example:
    • appserver.example.com
    • Wild-carded host name using the character * as wildcard: Use a host name pattern that uses asterisk (*) to represent one or more characters. The pattern specifies any host whose name matches.
    • Examples:
    • *.example.com; example.*
  8. (Optional) Enter an Expression for the policy rule.
  9. Specify an expression using SecureTransport expression language. Use the following named variable sets:
    • ${sess['variable']}
    • ${env['variable']}, ${stenv['variable']}, or ${stenv.variable}
  10. If such expression is specified, then a rule will be considered to match if both client address matches and expression evaluates to true.
  11. If such expression is not specified then it is not taken into account. Just the client address is considered.
  12. Example:
  13. ${stenv.loginname =='user1'}

    You can create a rule that limits the possible concurrent open sessions by a user. To do this, you must use the currentSessionsvariable and evaluate it against the threshold value you set in your rule.
    Example:
  14. ${currentSessions <= 3} - this example puts a session limit of up to 3 current sessions per user
    NoteTo restrict user logins to a specific Edge server or a network zone, we can use two variables:
    • The DXAGENT_CLIENTADDR variable effectively represents an Edge server hostname (or an IP address depending on the network setup) and is always present when connecting through an Edge server. It can be used in LRP expressions as {stenv.clientaddr} or ${sess.clientaddr}.
    • When connecting through an Edge server, the value of the DXAGENT_EDGEID variable is taken from the configuration option EdgeId. This configuration option is defined by a SecureTransport administrator and is valid for FTP and HTTP daemons only. It can be used in LPR expressions as {stenv.edgeid} or ${sess.edgeid}.
    When a user logs in through the Private zone (that is through Backend protocol daemons), these variables are not available in the environment, and in this case the only valid expression is ${empty sess.clientaddr} or ${empty sess.edgeid}.
  15. You may use custom HTTP headers in LRP expressions, where the name of the HTTP header must be capitalized and all dashes must be replaced by underescores.
    For example: ${env['DXAGENT_HTTP_X_FORWARDED_FOR'] == '10.10.10.10'}
  16. (Optional) Enter a Description for the policy rule.
  17. Click the Save () icon.

Editing a policy rule

Use the following instructions to edit a policy rule:

  1. Click the Edit () icon for the policy rule.
  2. Make the desired changes to the policy rule. For additional information, refer to Adding a policy rule.
  3. Click the Save () icon.

Enabling a policy rule

Use the following instruction to enable a policy rule or rules:

  1. Select the policy rule or rules to enable using the Policy Rule check boxes.
  2. Click Enable.

Disabling a policy rule

Use the following instruction to disable a policy rule or rules:

  1. Select the policy rule or rules to disable using the Policy Rule check boxes.
  2. Click Disable.

Deleting a policy rule

Use the following instruction to delete a policy rule or rules:

  1. Select the policy rule or rules to delete using the Policy Rule check boxes.
  2. Click Delete.
  3. Confirm the policy rule or rules deletion.

Related Links