Request Demo
Features Use Cases About Documentation Contact Request Demo

Access Rules

Control who can authenticate based on group membership

What Are Access Rules?

Access rules determine who can authenticate through a policy based on their group membership. Even if a user's credentials are valid, access rules can deny them if they're not in an allowed group.

Rules are evaluated in order, and the first matching rule determines the outcome.

Rule Types

Allow

Users in this group can authenticate. Processing stops at first match.

Deny

Users in this group are rejected, even if other rules would allow them.

Rule Evaluation

Rules are processed top to bottom. The first rule that matches determines the outcome. If no rules match, the default action (configurable) is applied.

1 Check first rule Match? → Apply action
2 Check next rule Match? → Apply action
... Continue until match Or exhaust all rules
* Default action If no rules matched

Order matters: Put more specific rules (like Deny for a specific group) before broader Allow rules. Otherwise the broad Allow might match first.

Logic Operators

You can combine groups with logical operators for complex rules:

AND
User must be in ALL specified groups
IT_Staff AND VPN_Users
OR
User must be in ANY of the specified groups
Employees OR Contractors
NOT
User must NOT be in the specified group
NOT Disabled_Users

Complex Example

"Allow users who are in IT AND VPN_Users but NOT in Suspended"

(IT_Staff AND VPN_Users) AND NOT Suspended

Common Patterns

Allow Specific Department

Allow Engineering

Default: Deny

Only Engineering team members can authenticate.

Allow Multiple Groups

Allow Engineering OR Sales OR Marketing

Default: Deny

Allow any of these three departments.

Deny Specific Group, Allow Others

Deny Contractors
Allow All_Employees

Default: Deny

Employees can access, but contractors are blocked.

Require Multiple Conditions

Allow IT_Staff AND MFA_Enrolled

Default: Deny

Only IT staff who have enrolled in MFA.

Tiered Access

Deny Suspended
Allow Admins
Allow Power_Users

Default: Deny

Block suspended users, allow admins and power users.

Default Action

The default action is applied when no rules match. Choose based on your security posture:

Default: Deny (Recommended)

Only explicitly allowed users can authenticate. More secure - if you forget to add a group, they're denied rather than accidentally allowed.

Default: Allow

Anyone with valid credentials can authenticate unless specifically denied. Use only when you want broad access with specific exclusions.

Troubleshooting

User denied but should be allowed

  • Check rule order - a Deny rule might be matching before Allow
  • Verify the user is actually in the expected group
  • Check if default action is Deny and no rules matched
  • Look at NAC Tracer for the exact rule that matched

User allowed but should be denied

  • Check if default action is Allow
  • A broad Allow rule might be matching before the Deny
  • Verify the user's group membership is current

AND logic not working

  • User must be in ALL groups for AND to match
  • Check that group names are spelled correctly
  • Verify user is a member of every group in the AND condition

What's Next?

Back to Policies Overview