Using rules to assign policies

This page includes:

• Using rules to assign policies
  • About using rules to assign policies
  • Adding a new policy assignment rule
  • Setting the rule order

About using rules to assign policies

You assign a policy to endpoint users, and the configuration of the policy then defines the behavior of the extension for those users. You assign a policy to new endpoint users when they are created, and you can manually change the policy that is assigned to existing users. For details, see Managing Endpoint Users. You can also use policy assignment rules to automatically assign policies to existing users. For example, you could create:

• a rule that assigns the "USA policy" to all users that have "USA" as their Location attribute

• another rule that assigns the "Europe policy" to all users that have "England" as their Location attribute

• a third rule that assigns the "Europe policy" to all users that have "France" as their Location attribute

• a default rule that assigns the "Asia policy" to all users that do not have "USA", "England", or "France" as their Location attribute

  

The policy assignment rules use conditions based on user attributes. In the example above, Location is a user attribute. The user attributes are derived from mappings to attributes in the integrated external identity provider. For details on how to configure the attribute mappings, see Mapping User Attributes.

Note Policy assignment rules are applied each time a user signs-in to the extension. If there are multiple assignment rules, then the order of the rules is significant. When a user signs-in to the Browser Extension, the first rule that is matched is applied to the user. See Setting the rule order. In the Users > Users page, you can see which rule was used to apply a policy to a user. For details, see User SAML attributes and assigned policies. Policy assignment rules assign rules only to an IdP user A user whose credentials are maintained in an external identity provider - not in Advanced Browser Security., not to a local Perception Point user A user whose credentials are maintained in Advanced Browser Security - not in an external identity provider.. You can manually override the policy that has been assigned to a user by the policy assignment rules. For details, see Managing Endpoint Users.

Adding a new policy assignment rule

When you add a new policy assignment rule, you specify:

• The condition that must be met in order for the rule to apply

• The action to perform when the condition is met

  

Note You can specify only a single attribute in the rule condition. Make sure to specify the policy that is set by the default rule. The default rule is applied if none of the other assignment rules are matched. The Default assignment rule is always the last rule listed - it cannot be reordered. You cannot delete or rename the Default assignment rule. If there are multiple assignment rules, then the order of the rules is significant. When a user signs-in to the Browser Extension, the first rule that is matched is applied to the user. See Setting the rule order.

To add a new policy assignment rule:

1. Open the Policies > Assignment rules page, and click Add new rule.

2. Enter a name for the new policy assignment rule.

3. Use the available controls to define the condition for the new rule.

   

4. Use the available controls to define the action for the new rule.

   

5. [Optional] Specify a note for the new rule. This lets you describe the rule in any way that is useful.

6. Click Add. The new policy appears in the list of policies.

7. [Optional] If required, you can reorder the assignment rules by using the drag-and-drop controls on the left of the rules grid.

   

8. Click Save.

Setting the rule order

If there are multiple assignment rules, then the order of the rules is significant. When a user signs-in to the Browser Extension, the first rule that is matched is applied to the user.

• Consider the scenario above where we added three rules that assign policies based on the location of the user. Let's add a 4th rule. According to this new rule, if the user has the Role of Manager, then we assign the user the Manager policy. If we leave this rule as the 4th rule in the list, then if a user has location "USA", "England", or "France", then the user will be assigned the location-based policy - not the Manager policy. If we want the user to be assigned the Manager policy - irrespective of where the user is located - then we must move the new Role rule to the top of the list of rules.

See also: 

• Managing Advanced Browser Security