Access policy examples
The following are examples of access policies based on groups or IP addresses.
Simple group policy
This policy approves access to applications if the user is a member of both themanagers
and hr-managers
groups.
All other users must perform MFA.
Type | Operation | Condition | Action |
---|---|---|---|
Group membership | is one of |
managers , hr-managers |
Allow |
Default | MFA always |
Simple IP policy
This policy approves access to applications if the user’s IP address is within the corporate network. If the user is not coming from a block-listed suspicious IP address range, they need to perform MFA. All other users (that is, from suspicious IP addresses) are blocked.Type | Operation | Condition | Action |
---|---|---|---|
Network location (IP) | is one of |
1.0.0.0/8 | Allow |
Network location (IP) | is none of |
1.2.3.4 - 1.2.3.255 | MFA always |
Default | Block |
Advanced geo-location and group policy
This policy prompts all users for MFA on first access or when the user’s location is changed.
After the user verified the location, the second rule approves access to applications if the user
is a member of both
managers
and hr-managers
group. Note: If managers change their
location, they must perform another MFA.
All other users are denied access to the app.
Type | Operation | Condition | Action |
---|---|---|---|
Geo location | not verified |
MFA always | |
Group membership | contains each of |
managers , hr-managers |
Allow |
Default | Block |