Deny access based on a set of conditions
A common policy scenario is to deny access based on a set of conditions.
Use the steps in this scenario task to create a policy that denies access if any of the following conditions are true.
- The calculated risk score is higher than a value of 40.
- The reputation of the ipAddress in the request is considered malware.
Steps
- Log in to the local management interface.
- Click AAC.
- Under Policy, click Access Control.
- In the center panel, click .
- Enter a name for the policy.
- In the Rules section, set the Precedence property to Deny. As a result, access is denied if any rule returns deny.
- Click Add Rule.
- Select riskScore from the attribute list.
- Select > as the operator.
- Type 40 as the value.
- In the Decision list, select Deny.
- Click OK to complete the rule.
- Click Add Rule to add another rule.
- Select ipReputation from the attribute list.
- Select has member as the operator.
- Type Malware as the value.
- In the Decision list, select Deny.
- Click OK to complete the rule.
- Click the arrow next to Add Rule.
- Click Unconditional rule.
- In the Decision list, select Permit. The unconditional Permit rule causes the policy to permit access if none of the deny access rules evaluate to true.
- Click OK.
This scenario uses the following settings in the policy editor.
- Precedence: Deny
- Attributes: Optional
- Rule 1: If riskScore >40 Then Deny
- Rule 2: If ipReputation has member Malware Then Deny
- Rule 3: Permit
Parent topic: Policy scenarios